Add latest changes from gitlab-org/security/gitlab@13-10-stable-ee

app/services/projects/unlink_fork_service.rb

@@ -32,6 +32,8 @@ module Projects
         if fork_network = @project.root_of_fork_network
           fork_network.update(root_project: nil, deleted_root_project_name: @project.full_name)
         end
+
+        @project.leave_pool_repository
       end
 
       # rubocop: disable Cop/InBatches

changelogs/unreleased/security-id-leave-pool-for-private-forks.yml

+---
+title: Leave pool repository on fork unlinking
+merge_request:
+author:
+type: security

changelogs/unreleased/security-trigger-system-hook-by-post.yml

+---
+title: Require POST request to trigger system hooks
+merge_request:
+author:
+type: security

doc/api/system_hooks.md

@@ -88,7 +88,7 @@ Example response:
 ## Test system hook
 
 ```plaintext
-GET /hooks/:id
+POST /hooks/:id
 ```
 
 | Attribute | Type | Required | Description |
@@ -98,7 +98,7 @@ GET /hooks/:id
 Example request:
 
 ```shell
-curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/hooks/2"
+curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/hooks/1"
 ```
 
 Example response:

lib/api/system_hooks.rb

@@ -47,7 +47,7 @@ module API
       params do
         requires :id, type: Integer, desc: 'The ID of the system hook'
       end
-      get ":id" do
+      post ":id" do
         hook = SystemHook.find(params[:id])
         data = {
           event_name: "project_create",

spec/factories/pool_repositories.rb

@@ -6,7 +6,7 @@ FactoryBot.define do
     state { :none }
 
     before(:create) do |pool|
-      pool.source_project = create(:project, :repository)
+      pool.source_project ||= create(:project, :repository)
       pool.source_project.update!(pool_repository: pool)
     end
 

spec/requests/api/system_hooks_spec.rb

@@ -103,15 +103,15 @@ RSpec.describe API::SystemHooks do
     end
   end
 
-  describe "GET /hooks/:id" do
-    it "returns hook by id" do
-      get api("/hooks/#{hook.id}", admin)
-      expect(response).to have_gitlab_http_status(:ok)
+  describe 'POST /hooks/:id' do
+    it "returns and trigger hook by id" do
+      post api("/hooks/#{hook.id}", admin)
+      expect(response).to have_gitlab_http_status(:created)
       expect(json_response['event_name']).to eq('project_create')
     end
 
     it "returns 404 on failure" do
-      get api("/hooks/404", admin)
+      post api("/hooks/404", admin)
       expect(response).to have_gitlab_http_status(:not_found)
     end
   end

spec/services/projects/fork_service_spec.rb

@@ -403,7 +403,7 @@ RSpec.describe Projects::ForkService do
   end
 
   context 'when forking with object pools' do
-    let(:fork_from_project) { create(:project, :public) }
+    let(:fork_from_project) { create(:project, :repository, :public) }
     let(:forker) { create(:user) }
 
     context 'when no pool exists' do

spec/services/projects/unlink_fork_service_spec.rb

@@ -207,6 +207,17 @@ RSpec.describe Projects::UnlinkForkService, :use_clean_rails_memory_store_cachin
     end
   end
 
+  context 'a project with pool repository' do
+    let(:project) { create(:project, :public, :repository) }
+    let!(:pool_repository) { create(:pool_repository, :ready, source_project: project) }
+
+    subject { described_class.new(project, user) }
+
+    it 'when unlinked leaves pool repository' do
+      expect { subject.execute }.to change { project.reload.has_pool_repository? }.from(true).to(false)
+    end
+  end
+
   context 'when given project is not part of a fork network' do
     let!(:project_without_forks) { create(:project, :public) }