Merge branch 'security-fix-leaking-namespace-name' into 'security'

Check that user has access to a given namespace to prevent leaking namespace names. See merge request !2009
author: Douwe Maan <douwe@gitlab.com> 2016-10-20 14:54:55 +0000
committer: Rémy Coutable <remy@rymai.me> 2016-10-24 15:49:05 +0200
commit: 4a0e8f59e25a0b33e8e8cf33678688df912da8eb (patch)
tree: 3e85c7274cf56f34f591c6618c8ee9301a87e37f /app/controllers/import/gitlab_projects_controller.rb
parent: 0e43e34b45c6e1de68e65c8a51df078e850ec2c6 (diff)
download: gitlab-ce-4a0e8f59e25a0b33e8e8cf33678688df912da8eb.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/app/controllers/import/gitlab_projects_controller.rb b/app/controllers/import/gitlab_projects_controller.rb
index 3ec173abcdb..36d246d185b 100644
--- a/app/controllers/import/gitlab_projects_controller.rb
+++ b/app/controllers/import/gitlab_projects_controller.rb
@@ -2,8 +2,8 @@ class Import::GitlabProjectsController < Import::BaseController
   before_action :verify_gitlab_project_import_enabled
 
   def new
-    @namespace_id = project_params[:namespace_id]
-    @namespace_name = Namespace.find(project_params[:namespace_id]).name
+    @namespace = Namespace.find(project_params[:namespace_id])
+    return render_404 unless current_user.can?(:create_projects, @namespace)
     @path = project_params[:path]
   end
author	Douwe Maan <douwe@gitlab.com>	2016-10-20 14:54:55 +0000
committer	Rémy Coutable <remy@rymai.me>	2016-10-24 15:49:05 +0200
commit	4a0e8f59e25a0b33e8e8cf33678688df912da8eb (patch)
tree	3e85c7274cf56f34f591c6618c8ee9301a87e37f /app/controllers/import/gitlab_projects_controller.rb
parent	0e43e34b45c6e1de68e65c8a51df078e850ec2c6 (diff)
download	gitlab-ce-4a0e8f59e25a0b33e8e8cf33678688df912da8eb.tar.gz