Skip to content

G
gitlab-ce
Commit 6f8d6871 authored by Michelle Gill's avatar Michelle Gill
Browse files
Options

Check forked projects permissions before allowing fork

parent 9eb2d34f
Hide whitespace changes
Inline Side-by-side
Showing with 18 additions and 0 deletions
changelogs/unreleased/security-forked-from.yml 0 → 100644
View file @ 6f8d6871
---
title: Check forked project permissions before allowing fork
merge_request:
author:
type: security
lib/api/projects.rb
View file @ 6f8d6871
......@@ -444,6 +444,8 @@ module API
not_found!("Source Project") unless fork_from_project
authorize! :fork_project, fork_from_project
result = ::Projects::ForkService.new(fork_from_project, current_user).execute(user_project)
if result
......
spec/requests/api/projects_spec.rb
View file @ 6f8d6871
......@@ -1891,6 +1891,17 @@ describe API::Projects do
expect(project_fork_target).to be_forked
end
it 'fails without permission from forked_from project' do
project_fork_source.project_feature.update_attribute(:forking_access_level, ProjectFeature::PRIVATE)
post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", user)
expect(response).to have_gitlab_http_status(:forbidden)
expect(project_fork_target.forked_from_project).to be_nil
expect(project_fork_target.fork_network_member).not_to be_present
expect(project_fork_target).not_to be_forked
end
it 'denies project to be forked from a private project' do
post api("/projects/#{project_fork_target.id}/fork/#{private_project_fork_source.id}", user)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7