authz: always check config conflicts first (!7883) · Merge requests · Administrator / sourcegraph

Administrator requested to merge jc/authzFilter-always-check-conflict-first into master Jan 19, 2020

Created by: unknwon

Always perform config conflict check before the "len(repos) == 0" as explained in the code comments:

🚨 SECURITY: This "smart" check must happen after checking globals.PermissionsUserMapping().Enabled. Otherwise, we could leak the existence of repositories that a user has no access to by returning an error (resulted in 500), and returning nil (resulted in 404) for non-existent repositories.

authz: always check config conflicts first

Merge request reports