Fix 404 for importing as developer

Fix 404 on import page when user have sufficient permissions to create project but not to admin it

Fix 404 for importing as developer
Fix 404 on import page when user have sufficient permissions to create project but not to admin it
b2ce4407 · Illya Klymov · 85b9ccc0 · b2ce4407 · b2ce4407 · b2ce4407
Commit b2ce4407 authored Jun 30, 2020 by Illya Klymov
3 changed files
--- a/app/controllers/projects/imports_controller.rb
+++ b/app/controllers/projects/imports_controller.rb
@@ -5,7 +5,8 @@ class Projects::ImportsController < Projects::ApplicationController
  include ImportUrlParams

  # Authorize
-  before_action :authorize_admin_project!
+  before_action :authorize_admin_project!, only: [:new, :create]
+  before_action :require_namespace_project_creation_permission, only: :show
  before_action :require_no_repo, only: [:new, :create]
  before_action :redirect_if_progress, only: [:new, :create]
  before_action :redirect_if_no_import, only: :show
@@ -51,6 +52,10 @@ class Projects::ImportsController < Projects::ApplicationController
    end
  end

+  def require_namespace_project_creation_permission
+    render_404 unless current_user.can?(:admin_project, @project) || current_user.can?(:create_projects, @project.namespace)
+  end
+
  def redirect_if_progress
    if @project.import_in_progress?
      redirect_to project_import_path(@project)

--- a/changelogs/unreleased/xanf-fix-404-on-import.yml
+++ b/changelogs/unreleased/xanf-fix-404-on-import.yml
+---
+title: Fix 404 when importing project with developer permission
+merge_request: 35667
+author:
+type: fixed
--- a/spec/controllers/projects/imports_controller_spec.rb
+++ b/spec/controllers/projects/imports_controller_spec.rb
@@ -8,10 +8,14 @@ RSpec.describe Projects::ImportsController do

  before do
    sign_in(user)
-    project.add_maintainer(user)
  end

  describe 'GET #show' do
+    context 'when the user has maintainer rights' do
+      before do
+        project.add_maintainer(user)
+      end
+
      context 'when repository does not exists' do
        it 'renders template' do
          get :show, params: { namespace_id: project.namespace.to_param, project_id: project }
@@ -123,11 +127,46 @@ RSpec.describe Projects::ImportsController do
      end
    end

+    context 'when project is in group' do
+      let(:project) { create(:project_empty_repo, import_url: 'https://github.com/vim/vim.git', namespace: group) }
+
+      context 'when user has developer access to group and import is in progress' do
+        let(:import_state) { project.import_state }
+
+        before do
+          group.add_developer(user)
+          import_state.update!(status: :started)
+        end
+
+        context 'when group allows developers to create projects' do
+          let(:group) { create(:group, project_creation_level: Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS) }
+
+          it 'renders template' do
+            get :show, params: { namespace_id: project.namespace.to_param, project_id: project }
+
+            expect(response).to render_template :show
+          end
+        end
+
+        context 'when group prohibits developers to create projects' do
+          let(:group) { create(:group, project_creation_level: Gitlab::Access::MAINTAINER_PROJECT_ACCESS) }
+
+          it 'returns 404 response' do
+            get :show, params: { namespace_id: project.namespace.to_param, project_id: project }
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+      end
+    end
+  end
+
  describe 'POST #create' do
    let(:params) { { import_url: 'https://github.com/vim/vim.git', import_url_user: 'user', import_url_password: 'password' } }
    let(:project) { create(:project) }

    before do
+      project.add_maintainer(user)
      allow(RepositoryImportWorker).to receive(:perform_async)

      post :create, params: { project: params, namespace_id: project.namespace.to_param, project_id: project }