Fix forks creation when visibility level is restrictedissue_10725

4 files changed, 48 insertions, 1 deletions

diff --git a/CHANGELOG b/CHANGELOG
index c59a66874c3..73f21ed4d8a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 8.9.0 (unreleased)
+  - Allow forking projects with restricted visibility level
   - Redesign navigation for project pages
   - Use gitlab-shell v3.0.0
   - Changed the Slack build message to use the singular duration if necessary (Aran Koning)
diff --git a/app/services/projects/fork_service.rb b/app/services/projects/fork_service.rb
index 0577ae778d5..de6dc38cc8e 100644
--- a/app/services/projects/fork_service.rb
+++ b/app/services/projects/fork_service.rb
@@ -3,7 +3,7 @@ module Projects
     def execute
       new_params = {
         forked_from_project_id: @project.id,
-        visibility_level:       @project.visibility_level,
+        visibility_level:       allowed_visibility_level,
         description:            @project.description,
         name:                   @project.name,
         path:                   @project.path,
@@ -19,5 +19,17 @@ module Projects
       new_project = CreateService.new(current_user, new_params).execute
       new_project
     end
+
+    private
+
+    def allowed_visibility_level
+      project_level = @project.visibility_level
+
+      if Gitlab::VisibilityLevel.non_restricted_level?(project_level)
+        project_level
+      else
+        Gitlab::VisibilityLevel.highest_allowed_level
+      end
+    end
   end
 end
diff --git a/lib/gitlab/visibility_level.rb b/lib/gitlab/visibility_level.rb
index a1ee1cba216..9462f3368e6 100644
--- a/lib/gitlab/visibility_level.rb
+++ b/lib/gitlab/visibility_level.rb
@@ -32,6 +32,13 @@ module Gitlab
         }
       end
 
+      def highest_allowed_level
+        restricted_levels = current_application_settings.restricted_visibility_levels
+
+        allowed_levels = self.values - restricted_levels
+        allowed_levels.max || PRIVATE
+      end
+
       def allowed_for?(user, level)
         user.is_admin? || allowed_level?(level.to_i)
       end
diff --git a/spec/services/projects/fork_service_spec.rb b/spec/services/projects/fork_service_spec.rb
index d1ee60a0aea..31bb7120d84 100644
--- a/spec/services/projects/fork_service_spec.rb
+++ b/spec/services/projects/fork_service_spec.rb
@@ -42,6 +42,33 @@ describe Projects::ForkService, services: true do
         expect(@to_project.builds_enabled?).to be_truthy
       end
     end
+
+    context "when project has restricted visibility level" do
+      context "and only one visibility level is restricted" do
+        before do
+          @from_project.update_attributes(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
+          stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::INTERNAL])
+        end
+
+        it "creates fork with highest allowed level" do
+          forked_project = fork_project(@from_project, @to_user)
+
+          expect(forked_project.visibility_level).to eq(Gitlab::VisibilityLevel::PUBLIC)
+        end
+      end
+
+      context "and all visibility levels are restricted" do
+        before do
+          stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC, Gitlab::VisibilityLevel::INTERNAL, Gitlab::VisibilityLevel::PRIVATE])
+        end
+
+        it "creates fork with private visibility levels" do
+          forked_project = fork_project(@from_project, @to_user)
+
+          expect(forked_project.visibility_level).to eq(Gitlab::VisibilityLevel::PRIVATE)
+        end
+      end
+    end
   end
 
   describe :fork_to_namespace do