Fix security issues with teams

diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb
index 1322973..13b7f02 100644 (file)
--- a/app/controllers/dashboard_controller.rb
+++ b/app/controllers/dashboard_controller.rb
@@ -18,7 +18,7 @@ class DashboardController < ApplicationController
                   @projects
                 end
 
-    @teams = (UserTeam.with_member(current_user) + UserTeam.created_by(current_user)).uniq
+    @teams = current_user.authorized_teams
 
     @projects = @projects.page(params[:page]).per(30)
 

diff --git a/app/controllers/teams_controller.rb b/app/controllers/teams_controller.rb
index 828bdeb..e69a092 100644 (file)
--- a/app/controllers/teams_controller.rb
+++ b/app/controllers/teams_controller.rb
@@ -4,11 +4,9 @@ class TeamsController < ApplicationController
   before_filter :authorize_manage_user_team!, only: [:edit, :update]
   before_filter :authorize_admin_user_team!, only: [:destroy]
 
-  layout 'user_team', except: [:new, :create]
+  before_filter :user_team, except: [:new, :create]
 
-  def index
-    @teams = current_user.user_teams.order('name ASC')
-  end
+  layout 'user_team', except: [:new, :create]
 
   def show
     user_team
@@ -83,7 +81,6 @@ class TeamsController < ApplicationController
   end
 
   def user_team
-    @team ||= UserTeam.find_by_path(params[:id])
+    @team ||= current_user.authorized_teams.find_by_path(params[:id])
   end
-
 end

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 9aafce5..196105f 100644 (file)
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -74,6 +74,7 @@ module ApplicationHelper
   def search_autocomplete_source
     projects = current_user.authorized_projects.map { |p| { label: "project: #{p.name_with_namespace}", url: project_path(p) } }
     groups = current_user.authorized_groups.map { |group| { label: "group: #{group.name}", url: group_path(group) } }
+    teams = current_user.authorized_teams.map { |team| { label: "team: #{team.name}", url: team_path(team) } }
 
     default_nav = [
       { label: "My Profile", url: profile_path },

diff --git a/app/models/user.rb b/app/models/user.rb
index 7a0d664..29f2629 100644 (file)
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -295,4 +295,15 @@ class User < ActiveRecord::Base
   def namespace_id
     namespace.try :id
   end
+
+  def authorized_teams
+    @authorized_teams ||= begin
+                            ids = []
+                            ids << UserTeam.with_member(self).pluck('user_teams.id')
+                            ids << UserTeam.created_by(self).pluck('user_teams.id')
+                            ids.flatten
+
+                            UserTeam.where(id: ids)
+                          end
+  end
 end