From d7fad9e9287db2442a9cd200216fd981bb1f7ba0 Mon Sep 17 00:00:00 2001
From: simonbrandhof <simon.brandhof@gmail.com>
Date: Thu, 12 May 2011 11:32:07 +0200
Subject: [PATCH] Fix security issue in /reviews/show URL

---
 .../webapp/WEB-INF/app/controllers/reviews_controller.rb    | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb
index e492dcf8b29..8404e2a6eb2 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb
@@ -52,7 +52,11 @@ class ReviewsController < ApplicationController
 
   def show
     @review = Review.find(params[:id], :include => ['project'])
-    render :partial => 'reviews/show'
+    if has_role?(:user, @review.project)
+      render :partial => 'reviews/show'
+    else
+      render :text => "access denied"
+    end
   end
 
   # GET
-- 
2.39.5