From a540fd545d59bf72ef3a073d28617c87d978d44d Mon Sep 17 00:00:00 2001 From: Thomas Hipp Date: Tue, 5 Apr 2016 08:53:35 +0200 Subject: [PATCH] Don't allow access to the hidden global team The link to the global team is now hidden. If a user tries to access it anyway, the user is presented with a 404 error. Fixes #658 Signed-off-by: Thomas Hipp --- app/controllers/teams_controller.rb | 2 ++ app/views/namespaces/show.html.slim | 7 ++++--- spec/controllers/teams_controller_spec.rb | 11 +++++++++++ 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/app/controllers/teams_controller.rb b/app/controllers/teams_controller.rb index 653cf558b..417a16259 100644 --- a/app/controllers/teams_controller.rb +++ b/app/controllers/teams_controller.rb @@ -14,6 +14,8 @@ def index # GET /teams/1 # GET /teams/1.json def show + raise ActiveRecord::RecordNotFound if @team.name.starts_with?("portus_global_team_") + authorize @team @team_users = @team.team_users.enabled.page(params[:users_page]).per(10) @team_namespaces = @team.namespaces.page(params[:namespaces_page]).per(15) diff --git a/app/views/namespaces/show.html.slim b/app/views/namespaces/show.html.slim index baa9b5b7d..21bdfba5c 100644 --- a/app/views/namespaces/show.html.slim +++ b/app/views/namespaces/show.html.slim @@ -43,9 +43,10 @@ 'Namespace: strong = @namespace.clean_name - h6.label.label-info - | Belongs to: - = link_to "#{@namespace.team.name}", @namespace.team + - unless @namespace.global? + h6.label.label-info + | Belongs to: + = link_to "#{@namespace.team.name}", @namespace.team .panel-body .table-responsive table.table.table-stripped.table-hover diff --git a/spec/controllers/teams_controller_spec.rb b/spec/controllers/teams_controller_spec.rb index 530abda89..7e383b95f 100644 --- a/spec/controllers/teams_controller_spec.rb +++ b/spec/controllers/teams_controller_spec.rb @@ -13,6 +13,11 @@ let(:owner) { create(:user) } let(:team) { create(:team, description: "short test description", owners: [owner]) } + let(:hidden_team) do + create(:team, name: "portus_global_team_1", + description: "short test description", owners: [owner], + hidden: true) + end describe "GET #show" do @@ -42,6 +47,12 @@ expect(response.status).to eq 401 end + it "drops requests to a hidden global team" do + sign_in owner + + expect { get :show, id: hidden_team.id }.to raise_error(ActiveRecord::RecordNotFound) + end + it "does not display disabled users" do user = create(:user, enabled: false) TeamUser.create(team: team, user: user, role: TeamUser.roles["viewer"])