The function authenticated? in roust.rb would check for an Unauthenticated exception thrown from the function show('1').
However, if an http request to ticket/1 returns a # You are not allowed to display ticket 1., ticket_show('1') would continue to call parse_ticket_attributes which happily tries to expand the response body, creates a hash = body_to_hash(body) assuming that an id = ticket/1 field is present in the response body.
Once it tries to access its 'id' key in hash['id'] = hash['id'].split('/').last, it throws undefined methodsplit' for nil:NilClass`.
Additionally, if the ticket/1 is not present at all, authenticated? would untruthfully not return true, because the if show('1') test fails.
This patch prevents ticket_show() to continue if the ticket is disallowed and properly returns true in authenticate?, if no exception is thrown.
erdgeist
commented
7 years ago
The function
authenticated?in roust.rb would check for anUnauthenticatedexception thrown from the functionshow('1').However, if an http request to
ticket/1returns a# You are not allowed to display ticket 1.,ticket_show('1')would continue to callparse_ticket_attributeswhich happily tries to expand the response body, creates ahash = body_to_hash(body)assuming that anid = ticket/1field is present in the response body.Once it tries to access its 'id' key in
hash['id'] = hash['id'].split('/').last, it throwsundefined methodsplit' for nil:NilClass`.Additionally, if the ticket/1 is not present at all,
authenticated?would untruthfully not return true, because theif show('1')test fails.This patch prevents
ticket_show()to continue if the ticket is disallowed and properly returns true inauthenticate?, if no exception is thrown.