Review response: Changed message leaking info

ManageIQ · Mar 30, 2017 · 6faf046 · 6faf046
1 parent 5064aaf
commit 6faf046
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1397,7 +1397,10 @@ def find_record_with_rbac(klass, id, options = {})
     raise _("Invalid input") unless is_integer?(id)
     tested_object = klass.find_by(:id => id)
     if tested_object.nil?
-      raise _("Selected %{model_name} no longer exists") % {:model_name => ui_lookup(:model => klass.to_s)}
+      raise(_("User '%{user_id}' is not authorized to access '%{model}' record id '%{record_id}'") %
+              {:user_id   => current_userid,
+               :record_id => id,
+               :model     => ui_lookup(:model => klass.to_s)})
     end
     Rbac.filtered_object(tested_object, :user => current_user, :named_scope => options[:named_scope]) ||
       raise(_("User '%{user_id}' is not authorized to access '%{model}' record id '%{record_id}'") %

diff --git a/spec/controllers/application_controller/ci_processing_spec.rb b/spec/controllers/application_controller/ci_processing_spec.rb
@@ -657,7 +657,7 @@
     it "Verify flash error message when passed in ID no longer exists in database" do
       record = controller.send(:identify_record, "1", ExtManagementSystem)
       expect(record).to be_nil
-      expect(assigns(:bang).message).to include("Selected Provider no longer exists")
+      expect(assigns(:bang).message).to match(/User 'user[0-9]+' is not authorized to access 'Provider' record id '1'/)
     end
 
     it "Verify @record is set for passed in ID" do