The function authenticated? in roust.rb would check for an Unauthenticated exception thrown from the function show('1').
However, if an http request to ticket/1 returns a # You are not allowed to display ticket 1., ticket_show('1') would continue to call parse_ticket_attributes which happily tries to expand the response body, creates a hash = body_to_hash(body) assuming that an id = ticket/1 field is present in the response body.
Once it tries to access its 'id' key in hash['id'] = hash['id'].split('/').last, it throws undefined methodsplit' for nil:NilClass`.
Additionally, if the ticket/1 is not present at all, authenticated? would untruthfully not return true, because the if show('1') test fails.
This patch prevents ticket_show() to continue if the ticket is disallowed and properly returns true in authenticate?, if no exception is thrown.
The function
authenticated?
in roust.rb would check for anUnauthenticated
exception thrown from the functionshow('1')
.However, if an http request to
ticket/1
returns a# You are not allowed to display ticket 1.
,ticket_show('1')
would continue to callparse_ticket_attributes
which happily tries to expand the response body, creates ahash = body_to_hash(body)
assuming that anid = ticket/1
field is present in the response body.Once it tries to access its 'id' key in
hash['id'] = hash['id'].split('/').last
, it throwsundefined method
split' for nil:NilClass`.Additionally, if the ticket/1 is not present at all,
authenticated?
would untruthfully not return true, because theif show('1')
test fails.This patch prevents
ticket_show()
to continue if the ticket is disallowed and properly returns true inauthenticate?
, if no exception is thrown.