Add latest changes from gitlab-org/security/gitlab@13-0-stable-ee

5bc4a1ef · GitLab Bot · df400447 · 5bc4a1ef · 5bc4a1ef · 5bc4a1ef
Commit 5bc4a1ef authored May 26, 2020 by GitLab Bot
5 changed files
--- a/app/controllers/concerns/membership_actions.rb
+++ b/app/controllers/concerns/membership_actions.rb
@@ -53,10 +53,16 @@ module MembershipActions
  end

  def request_access
-    membershipable.request_access(current_user)
+    access_requester = membershipable.request_access(current_user)

-    redirect_to polymorphic_path(membershipable),
-                notice: _('Your request for access has been queued for review.')
+    if access_requester.persisted?
+      redirect_to polymorphic_path(membershipable),
+                  notice: _('Your request for access has been queued for review.')
+    else
+      redirect_to polymorphic_path(membershipable),
+                  alert: _("Your request for access could not be processed: %{error_meesage}") %
+                    { error_meesage: access_requester.errors.full_messages.to_sentence }
+    end
  end

  def approve_access_request

--- a/changelogs/unreleased/security-forked-from.yml
+++ b/changelogs/unreleased/security-forked-from.yml
+---
+title: Check forked project permissions before allowing fork
+merge_request:
+author:
+type: security
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -444,6 +444,8 @@ module API

        not_found!("Source Project") unless fork_from_project

+        authorize! :fork_project, fork_from_project
+
        result = ::Projects::ForkService.new(fork_from_project, current_user).execute(user_project)

        if result

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -25266,6 +25266,9 @@ msgstr ""
 msgid "Your projects"
 msgstr ""

+msgid "Your request for access could not be processed: %{error_meesage}"
+msgstr ""
+
 msgid "Your request for access has been queued for review."
 msgstr ""

@@ -25704,6 +25707,9 @@ msgstr ""
 msgid "email '%{email}' does not match the allowed domain of '%{email_domain}'"
 msgstr ""

+msgid "email '%{email}' is not a verified email."
+msgstr ""
+
 msgid "enabled"
 msgstr ""


--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -1891,6 +1891,17 @@ describe API::Projects do
          expect(project_fork_target).to be_forked
        end

+        it 'fails without permission from forked_from project' do
+          project_fork_source.project_feature.update_attribute(:forking_access_level, ProjectFeature::PRIVATE)
+
+          post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", user)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+          expect(project_fork_target.forked_from_project).to be_nil
+          expect(project_fork_target.fork_network_member).not_to be_present
+          expect(project_fork_target).not_to be_forked
+        end
+
        it 'denies project to be forked from a private project' do
          post api("/projects/#{project_fork_target.id}/fork/#{private_project_fork_source.id}", user)