From 7d186156a0996db21341ad13ab22c368d0409fc5 Mon Sep 17 00:00:00 2001
From: Urban Rotnik <urban.rotnik@gmail.com>
Date: Tue, 11 Aug 2020 17:00:36 +0200
Subject: [PATCH] Fix permission check lapsus

---
 app/controllers/search_controller.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index 302cba1bb..72185547d 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -263,7 +263,9 @@ class SearchController < ApplicationController
 
   def search_repository
     @repository = Repository.find_by_id(params[:repository])
-    render_403 unless user.teams.include?(repository.team) || repository.private_shared_with?(user.teams)
+    unless current_user.teams.include?(@repository.team) || @repository.private_shared_with?(current_user.teams)
+      render_403
+    end
     @repository_results = []
     if @repository_search_count_total > 0
       @repository_results =