Fix security issue in /reviews/show URL

author: simonbrandhof <simon.brandhof@gmail.com> 2011-05-12 11:32:07 +0200
committer: simonbrandhof <simon.brandhof@gmail.com> 2011-05-12 11:32:07 +0200
commit: d7fad9e9287db2442a9cd200216fd981bb1f7ba0 (patch)
tree: e13fa01a12a409e464d0009bcc2d7429d075e5b0 /sonar-server
parent: 4449f9bf5adf0b70666482a320ce663765296b51 (diff)
download: sonarqube-d7fad9e9287db2442a9cd200216fd981bb1f7ba0.tar.gz
sonarqube-d7fad9e9287db2442a9cd200216fd981bb1f7ba0.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb
index e492dcf8b29..8404e2a6eb2 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/reviews_controller.rb
@@ -52,7 +52,11 @@ class ReviewsController < ApplicationController
 
   def show
     @review = Review.find(params[:id], :include => ['project'])
-    render :partial => 'reviews/show'
+    if has_role?(:user, @review.project)
+      render :partial => 'reviews/show'
+    else
+      render :text => "access denied"
+    end
   end
 
   # GET
author	simonbrandhof <simon.brandhof@gmail.com>	2011-05-12 11:32:07 +0200
committer	simonbrandhof <simon.brandhof@gmail.com>	2011-05-12 11:32:07 +0200
commit	d7fad9e9287db2442a9cd200216fd981bb1f7ba0 (patch)
tree	e13fa01a12a409e464d0009bcc2d7429d075e5b0 /sonar-server
parent	4449f9bf5adf0b70666482a320ce663765296b51 (diff)
download	sonarqube-d7fad9e9287db2442a9cd200216fd981bb1f7ba0.tar.gz sonarqube-d7fad9e9287db2442a9cd200216fd981bb1f7ba0.zip