Limit comparing to forked projects with their respective root project

lib/api/repositories.rb

@@ -120,9 +120,19 @@ module API
         optional :straight, type: Boolean, desc: 'Comparison method, `true` for direct comparison between `from` and `to` (`from`..`to`), `false` to compare using merge base (`from`...`to`)', default: false
       end
       get ':id/repository/compare' do
-        from_project = params[:from_project_id].present? ? find_project!(params[:from_project_id]) : user_project
+        if params[:from_project_id].present?
+          target_project = MergeRequestTargetProjectFinder
+            .new(current_user: current_user, source_project: user_project, project_feature: :repository)
+            .execute(include_routes: true).find_by_id(params[:from_project_id])
 
-        compare = CompareService.new(user_project, params[:to]).execute(from_project, params[:from], straight: params[:straight])
+          if target_project.blank?
+            render_api_error!("Target project id:#{params[:from_project_id]} is not a fork of project id:#{params[:id]}", 400)
+          end
+        else
+          target_project = user_project
+        end
+
+        compare = CompareService.new(user_project, params[:to]).execute(target_project, params[:from], straight: params[:straight])
 
         if compare
           present compare, with: Entities::Compare

spec/requests/api/repositories_spec.rb

@@ -6,6 +6,7 @@ require 'mime/types'
 RSpec.describe API::Repositories do
   include RepoHelpers
   include WorkhorseHelpers
+  include ProjectForksHelper
 
   let(:user) { create(:user) }
   let(:guest) { create(:user).tap { |u| create(:project_member, :guest, user: u, project: project) } }
@@ -392,11 +393,23 @@ RSpec.describe API::Repositories do
         expect(json_response['diffs']).to be_present
       end
 
-      it "compare commits between different projects" do
+      it "compare commits between different projects with non-forked relation" do
         public_project = create(:project, :repository, :public)
 
         get api(route, current_user), params: { from: sample_commit.parent_id, to: sample_commit.id, from_project_id: public_project.id }
 
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+
+      it "compare commits between different projects" do
+        group = create(:group)
+        group.add_owner(current_user)
+
+        forked_project = fork_project(project, current_user, repository: true, namespace: group)
+        forked_project.repository.create_ref('refs/heads/improve/awesome', 'refs/heads/improve/more-awesome')
+
+        get api(route, current_user), params: { from: 'improve/awesome', to: 'feature', from_project_id: forked_project.id }
+
         expect(response).to have_gitlab_http_status(:ok)
         expect(json_response['commits']).to be_present
         expect(json_response['diffs']).to be_present