Commit 5bc4a1ef authored by GitLab Bot's avatar GitLab Bot

Add latest changes from gitlab-org/security/gitlab@13-0-stable-ee

parent df400447
...@@ -53,10 +53,16 @@ module MembershipActions ...@@ -53,10 +53,16 @@ module MembershipActions
end end
def request_access def request_access
membershipable.request_access(current_user) access_requester = membershipable.request_access(current_user)
redirect_to polymorphic_path(membershipable), if access_requester.persisted?
notice: _('Your request for access has been queued for review.') redirect_to polymorphic_path(membershipable),
notice: _('Your request for access has been queued for review.')
else
redirect_to polymorphic_path(membershipable),
alert: _("Your request for access could not be processed: %{error_meesage}") %
{ error_meesage: access_requester.errors.full_messages.to_sentence }
end
end end
def approve_access_request def approve_access_request
......
---
title: Check forked project permissions before allowing fork
merge_request:
author:
type: security
...@@ -444,6 +444,8 @@ module API ...@@ -444,6 +444,8 @@ module API
not_found!("Source Project") unless fork_from_project not_found!("Source Project") unless fork_from_project
authorize! :fork_project, fork_from_project
result = ::Projects::ForkService.new(fork_from_project, current_user).execute(user_project) result = ::Projects::ForkService.new(fork_from_project, current_user).execute(user_project)
if result if result
......
...@@ -25266,6 +25266,9 @@ msgstr "" ...@@ -25266,6 +25266,9 @@ msgstr ""
msgid "Your projects" msgid "Your projects"
msgstr "" msgstr ""
msgid "Your request for access could not be processed: %{error_meesage}"
msgstr ""
msgid "Your request for access has been queued for review." msgid "Your request for access has been queued for review."
msgstr "" msgstr ""
...@@ -25704,6 +25707,9 @@ msgstr "" ...@@ -25704,6 +25707,9 @@ msgstr ""
msgid "email '%{email}' does not match the allowed domain of '%{email_domain}'" msgid "email '%{email}' does not match the allowed domain of '%{email_domain}'"
msgstr "" msgstr ""
msgid "email '%{email}' is not a verified email."
msgstr ""
msgid "enabled" msgid "enabled"
msgstr "" msgstr ""
......
...@@ -1891,6 +1891,17 @@ describe API::Projects do ...@@ -1891,6 +1891,17 @@ describe API::Projects do
expect(project_fork_target).to be_forked expect(project_fork_target).to be_forked
end end
it 'fails without permission from forked_from project' do
project_fork_source.project_feature.update_attribute(:forking_access_level, ProjectFeature::PRIVATE)
post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", user)
expect(response).to have_gitlab_http_status(:forbidden)
expect(project_fork_target.forked_from_project).to be_nil
expect(project_fork_target.fork_network_member).not_to be_present
expect(project_fork_target).not_to be_forked
end
it 'denies project to be forked from a private project' do it 'denies project to be forked from a private project' do
post api("/projects/#{project_fork_target.id}/fork/#{private_project_fork_source.id}", user) post api("/projects/#{project_fork_target.id}/fork/#{private_project_fork_source.id}", user)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment