Handle notification_id query param gracefully for project show

There is no need to block users from viewing a project when someone is sharing a link from his notifications with the `notification_id` attached as a query param. The `notification_id` query param is used to render the notification toolbar for an authorized users. If someone without authorization is using the same link, we should simply not render the toolbar, but still show the project show view.
krauselukas · May 8, 2024 · d190659 · d190659
1 parent 8612fd9
commit d190659
Showing 1 changed file with 11 additions and 5 deletions.
diff --git a/src/api/app/controllers/webui/project_controller.rb b/src/api/app/controllers/webui/project_controller.rb
@@ -44,11 +44,7 @@ def show
     @has_patchinfo = @project.patchinfos.exists?
     @comments = @project.comments
     @comment = Comment.new
-
-    if User.session && params[:notification_id]
-      @current_notification = Notification.find(params[:notification_id])
-      authorize @current_notification, :update?, policy_class: NotificationPolicy
-    end
+    @current_notification = handle_notification
 
     respond_to do |format|
       format.html
@@ -474,4 +470,14 @@ def set_project_by_name
   rescue Project::UnknownObjectError
     @project = nil
   end
+
+  def handle_notification
+    return unless User.session && params[:notification_id]
+
+    current_notification = Notification.find(params[:notification_id])
+
+    return unless NotificationPolicy.new(User.session, current_notification).update?
+
+    current_notification
+  end
 end