Prevent new merge requests for archived projects

This prevents creating merge requests targeting archived projects.

This could happen when a project was already forked, but then the
source was archived.

6 files changed, 18 insertions, 5 deletions

diff --git a/app/controllers/projects/application_controller.rb b/app/controllers/projects/application_controller.rb
index 6d9b42a2c04..cbb14b55399 100644
--- a/app/controllers/projects/application_controller.rb
+++ b/app/controllers/projects/application_controller.rb
@@ -34,8 +34,12 @@ class Projects::ApplicationController < ApplicationController
   def can_collaborate_with_project?(project = nil, ref: nil)
     project ||= @project
 
+    can_create_merge_request =
+      can?(current_user, :create_merge_request_in_project, project) &&
+      current_user.already_forked?(project)
+
     can?(current_user, :push_code, project) ||
-      (current_user && current_user.already_forked?(project)) ||
+      can_create_merge_request ||
       user_access(project).can_push_to_branch?(ref)
   end
 
diff --git a/app/finders/merge_request_target_project_finder.rb b/app/finders/merge_request_target_project_finder.rb
index f358938344e..188ec447a94 100644
--- a/app/finders/merge_request_target_project_finder.rb
+++ b/app/finders/merge_request_target_project_finder.rb
@@ -12,6 +12,7 @@ class MergeRequestTargetProjectFinder
     if @source_project.fork_network
       @source_project.fork_network.projects
         .public_or_visible_to_user(current_user)
+        .non_archived
         .with_feature_available_for_user(:merge_requests, current_user)
     else
       Project.where(id: source_project)
diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb
index 2b440e4d584..ac7b8d6672e 100644
--- a/app/helpers/blob_helper.rb
+++ b/app/helpers/blob_helper.rb
@@ -59,7 +59,7 @@ module BlobHelper
       button_tag label, class: "#{common_classes} disabled has-tooltip", title: "It is not possible to #{action} files that are stored in LFS using the web interface", data: { container: 'body' }
     elsif can_modify_blob?(blob, project, ref)
       button_tag label, class: "#{common_classes}", 'data-target' => "#modal-#{modal_type}-blob", 'data-toggle' => 'modal'
-    elsif can?(current_user, :fork_project, project)
+    elsif can?(current_user, :create_merge_request_in_project, project)
       edit_fork_button_tag(common_classes, project, label, edit_modify_file_fork_params(action), action)
     end
   end
@@ -334,7 +334,7 @@ module BlobHelper
       # Web IDE (Beta) requires the user to have this feature enabled
     elsif !current_user || (current_user && can_modify_blob?(blob, project, ref))
       edit_link_tag(text, edit_path, common_classes)
-    elsif current_user && can?(current_user, :fork_project, project)
+    elsif can?(current_user, :create_merge_request_in_project, project)
       edit_fork_button_tag(common_classes, project, text, edit_blob_fork_params(edit_path))
     end
   end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index b4970b605ca..72e30c932a9 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -140,6 +140,7 @@ class ProjectPolicy < BasePolicy
 
   rule { can?(:guest_access) }.policy do
     enable :read_project
+    enable :create_merge_request_in_project
     enable :read_board
     enable :read_list
     enable :read_wiki
@@ -250,6 +251,7 @@ class ProjectPolicy < BasePolicy
     prevent :request_access
     prevent :upload_file
     prevent :resolve_note
+    prevent :create_merge_request_in_project
 
     READONLY_FEATURES_WHEN_ARCHIVED.each do |feature|
       prevent(*create_update_admin_destroy(feature))
@@ -261,6 +263,7 @@ class ProjectPolicy < BasePolicy
   end
 
   rule { merge_requests_disabled | repository_disabled }.policy do
+    prevent :create_merge_request_in_project
     prevent(*create_read_update_admin_destroy(:merge_request))
   end
 
@@ -306,6 +309,7 @@ class ProjectPolicy < BasePolicy
 
   rule { can?(:public_access) }.policy do
     enable :read_project
+    enable :create_merge_request_in_project
     enable :read_board
     enable :read_list
     enable :read_wiki
diff --git a/app/presenters/merge_request_presenter.rb b/app/presenters/merge_request_presenter.rb
index 9f3f2637183..950d3fde2ea 100644
--- a/app/presenters/merge_request_presenter.rb
+++ b/app/presenters/merge_request_presenter.rb
@@ -196,8 +196,12 @@ class MergeRequestPresenter < Gitlab::View::Presenter::Delegated
   end
 
   def user_can_collaborate_with_project?
+    can_create_merge_request =
+      can?(current_user, :create_merge_request_in_project, project) &&
+      current_user.already_forked?(project)
+
     can?(current_user, :push_code, project) ||
-      (current_user && current_user.already_forked?(project)) ||
+      can_create_merge_request ||
       can_push_to_source_branch?
   end
 
diff --git a/app/services/merge_requests/create_service.rb b/app/services/merge_requests/create_service.rb
index c57a2445341..4c2c8398461 100644
--- a/app/services/merge_requests/create_service.rb
+++ b/app/services/merge_requests/create_service.rb
@@ -72,7 +72,7 @@ module MergeRequests
       params.delete(:target_project_id)
 
       unless can?(current_user, :read_project, @source_project) &&
-          can?(current_user, :read_project, @project)
+          can?(current_user, :create_merge_request_in_project, @project)
 
         raise Gitlab::Access::AccessDeniedError
       end