From d1906599edf5c5f84550cb97f2c0413e83760f05 Mon Sep 17 00:00:00 2001
From: Lukas Krause <lkrause@suse.de>
Date: Wed, 8 May 2024 16:13:28 +0200
Subject: [PATCH] Handle `notification_id` query param gracefully for project
 show

There is no need to block users from viewing a project when
someone is sharing a link from his notifications with the
`notification_id` attached as a query param. The `notification_id`
query param is used to render the notification toolbar for an
authorized users. If someone without authorization is using the
same link, we should simply not render the toolbar, but still show
the project show view.
---
 .../app/controllers/webui/project_controller.rb  | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/api/app/controllers/webui/project_controller.rb b/src/api/app/controllers/webui/project_controller.rb
index e7c1678a148..62b5dd7a571 100644
--- a/src/api/app/controllers/webui/project_controller.rb
+++ b/src/api/app/controllers/webui/project_controller.rb
@@ -44,11 +44,7 @@ def show
     @has_patchinfo = @project.patchinfos.exists?
     @comments = @project.comments
     @comment = Comment.new
-
-    if User.session && params[:notification_id]
-      @current_notification = Notification.find(params[:notification_id])
-      authorize @current_notification, :update?, policy_class: NotificationPolicy
-    end
+    @current_notification = handle_notification
 
     respond_to do |format|
       format.html
@@ -474,4 +470,14 @@ def set_project_by_name
   rescue Project::UnknownObjectError
     @project = nil
   end
+
+  def handle_notification
+    return unless User.session && params[:notification_id]
+
+    current_notification = Notification.find(params[:notification_id])
+
+    return unless NotificationPolicy.new(User.session, current_notification).update?
+
+    current_notification
+  end
 end