Commit 6d37fe95 authored by Committed by Alejandro RodríguezBrowse files
Merge branch 'jej-fix-missing-access-check-on-issues' into 'security'
Fix missing access checks on issue lookup using IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
⚠- Potentially untested 💣- No test coverage 🚥- Test coverage of some sort exists (a test failed when error raised) 🚦- Test coverage of return value (a test failed when nil used) ✅- Permissions check tested - [x] ✅app/controllers/projects/branches_controller.rb:39 - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with confidential issues, issues only visible to team, etc. - [x] 🚥app/models/cycle_analytics/summary.rb:9 [`.count`] - [x] ✅app/controllers/projects/todos_controller.rb:19 - [x] Potential double render in app/controllers/projects/todos_controller.rb - https://dev.gitlab.org/gitlab/...
Showing with 62 additions and 23 deletions