Merge branch '22417-api-fork-fix' into 'master'

API: Return 404 when trying to fork to unaccessible namespace

Closes #22417

See merge request !6452

2 files changed, 5 insertions, 3 deletions

diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index 5eb83c2c8f8..6d99617b56f 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -207,7 +207,9 @@ module API
         if namespace_id.present?
           namespace = Namespace.find_by(id: namespace_id) || Namespace.find_by_path_or_name(namespace_id)
 
-          not_found!('Target Namespace') unless namespace
+          unless namespace && can?(current_user, :create_projects, namespace)
+            not_found!('Target Namespace')
+          end
 
           attrs[:namespace] = namespace
         end
diff --git a/spec/requests/api/fork_spec.rb b/spec/requests/api/fork_spec.rb
index 06e3a2183c0..34f84f78952 100644
--- a/spec/requests/api/fork_spec.rb
+++ b/spec/requests/api/fork_spec.rb
@@ -94,7 +94,7 @@ describe API::API, api: true  do
       it 'fails if trying to fork to another user when not admin' do
         post api("/projects/fork/#{project.id}", user2), namespace: admin.namespace.id
 
-        expect(response).to have_http_status(409)
+        expect(response).to have_http_status(404)
       end
 
       it 'fails if trying to fork to non-existent namespace' do
@@ -114,7 +114,7 @@ describe API::API, api: true  do
       it 'fails to fork to not owned group' do
         post api("/projects/fork/#{project.id}", user2), namespace: group.name
 
-        expect(response).to have_http_status(409)
+        expect(response).to have_http_status(404)
       end
 
       it 'forks to not owned group when admin' do