From fec9fb05a5775b864ef6768df166d39fcb2be4bc Mon Sep 17 00:00:00 2001
From: Robert Speicher <robert@gitlab.com>
Date: Thu, 18 Jan 2018 23:10:19 +0000
Subject: Merge branch 'security-10-4-todo-api-reveals-sensitive-information'
 into 'security-10-4'

Restrict Todo API mark_as_done endpoint to the user's todos only
---
 lib/api/v3/todos.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/api/v3')

diff --git a/lib/api/v3/todos.rb b/lib/api/v3/todos.rb
index 2f2cf259987..3e2c61f6dbd 100644
--- a/lib/api/v3/todos.rb
+++ b/lib/api/v3/todos.rb
@@ -12,7 +12,7 @@ module API
         end
         delete ':id' do
           TodoService.new.mark_todos_as_done_by_ids(params[:id], current_user)
-          todo = Todo.find(params[:id])
+          todo = current_user.todos.find(params[:id])
 
           present todo, with: ::API::Entities::Todo, current_user: current_user
         end
-- 
cgit v1.2.1