Add latest changes from gitlab-org/security/gitlab@15-10-stable-ee

22 files changed, 377 insertions, 31 deletions

diff --git a/spec/controllers/import/bitbucket_controller_spec.rb b/spec/controllers/import/bitbucket_controller_spec.rb
index 055c98ebdbc..906cc5cb336 100644
--- a/spec/controllers/import/bitbucket_controller_spec.rb
+++ b/spec/controllers/import/bitbucket_controller_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Import::BitbucketController do
+RSpec.describe Import::BitbucketController, feature_category: :importers do
   include ImportSpecHelper
 
   let(:user) { create(:user) }
@@ -445,5 +445,16 @@ RSpec.describe Import::BitbucketController do
         )
       end
     end
+
+    context 'when user can not import projects' do
+      let!(:other_namespace) { create(:group, name: 'other_namespace').tap { |other_namespace| other_namespace.add_developer(user) } }
+
+      it 'returns 422 response' do
+        post :create, params: { target_namespace: other_namespace.name }, format: :json
+
+        expect(response).to have_gitlab_http_status(:unprocessable_entity)
+        expect(response.parsed_body['errors']).to eq('You are not allowed to import projects in this namespace.')
+      end
+    end
   end
 end
diff --git a/spec/controllers/import/bitbucket_server_controller_spec.rb b/spec/controllers/import/bitbucket_server_controller_spec.rb
index ac56d3af54f..b2a56423253 100644
--- a/spec/controllers/import/bitbucket_server_controller_spec.rb
+++ b/spec/controllers/import/bitbucket_server_controller_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Import::BitbucketServerController do
+RSpec.describe Import::BitbucketServerController, feature_category: :importers do
   let(:user) { create(:user) }
   let(:project_key) { 'test-project' }
   let(:repo_slug) { 'some-repo' }
diff --git a/spec/controllers/import/fogbugz_controller_spec.rb b/spec/controllers/import/fogbugz_controller_spec.rb
index e2d59fc213a..40a5c59fa2d 100644
--- a/spec/controllers/import/fogbugz_controller_spec.rb
+++ b/spec/controllers/import/fogbugz_controller_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Import::FogbugzController do
+RSpec.describe Import::FogbugzController, feature_category: :importers do
   include ImportSpecHelper
 
   let(:user) { create(:user) }
diff --git a/spec/controllers/import/gitea_controller_spec.rb b/spec/controllers/import/gitea_controller_spec.rb
index 568712d29cb..7466ffb2393 100644
--- a/spec/controllers/import/gitea_controller_spec.rb
+++ b/spec/controllers/import/gitea_controller_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Import::GiteaController do
+RSpec.describe Import::GiteaController, feature_category: :importers do
   include ImportSpecHelper
 
   let(:provider) { :gitea }
diff --git a/spec/controllers/import/gitlab_controller_spec.rb b/spec/controllers/import/gitlab_controller_spec.rb
index 7b3978297fb..2c09f8c010e 100644
--- a/spec/controllers/import/gitlab_controller_spec.rb
+++ b/spec/controllers/import/gitlab_controller_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Import::GitlabController do
+RSpec.describe Import::GitlabController, feature_category: :importers do
   include ImportSpecHelper
 
   let(:user) { create(:user) }
diff --git a/spec/controllers/import/manifest_controller_spec.rb b/spec/controllers/import/manifest_controller_spec.rb
index 6f805b44e89..23d5d37ed88 100644
--- a/spec/controllers/import/manifest_controller_spec.rb
+++ b/spec/controllers/import/manifest_controller_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Import::ManifestController, :clean_gitlab_redis_shared_state do
+RSpec.describe Import::ManifestController, :clean_gitlab_redis_shared_state, feature_category: :importers do
   include ImportSpecHelper
 
   let_it_be(:user) { create(:user) }
@@ -45,7 +45,7 @@ RSpec.describe Import::ManifestController, :clean_gitlab_redis_shared_state do
       end
     end
 
-    context 'when the user cannot create projects in the group' do
+    context 'when the user cannot import projects in the group' do
       it 'displays an error' do
         sign_in(create(:user))
 
diff --git a/spec/controllers/projects/imports_controller_spec.rb b/spec/controllers/projects/imports_controller_spec.rb
index 65a80b9e8ec..05232afb81a 100644
--- a/spec/controllers/projects/imports_controller_spec.rb
+++ b/spec/controllers/projects/imports_controller_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Projects::ImportsController do
+RSpec.describe Projects::ImportsController, feature_category: :importers do
   let(:user) { create(:user) }
   let(:project) { create(:project) }
 
@@ -149,17 +149,7 @@ RSpec.describe Projects::ImportsController do
           import_state.update!(status: :started)
         end
 
-        context 'when group allows developers to create projects' do
-          let(:group) { create(:group, project_creation_level: Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS) }
-
-          it 'renders template' do
-            get :show, params: { namespace_id: project.namespace.to_param, project_id: project }
-
-            expect(response).to render_template :show
-          end
-        end
-
-        context 'when group prohibits developers to create projects' do
+        context 'when group prohibits developers to import projects' do
           let(:group) { create(:group, project_creation_level: Gitlab::Access::MAINTAINER_PROJECT_ACCESS) }
 
           it 'returns 404 response' do
diff --git a/spec/finders/groups/accepting_project_imports_finder_spec.rb b/spec/finders/groups/accepting_project_imports_finder_spec.rb
new file mode 100644
index 00000000000..4e06c2cbc67
--- /dev/null
+++ b/spec/finders/groups/accepting_project_imports_finder_spec.rb
@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Groups::AcceptingProjectImportsFinder, feature_category: :importers do
+  let_it_be(:user) { create(:user) }
+  let_it_be(:group_where_direct_owner) { create(:group) }
+  let_it_be(:subgroup_of_group_where_direct_owner) { create(:group, parent: group_where_direct_owner) }
+  let_it_be(:group_where_direct_maintainer) { create(:group) }
+  let_it_be(:group_where_direct_maintainer_but_cant_create_projects) do
+    create(:group, project_creation_level: Gitlab::Access::NO_ONE_PROJECT_ACCESS)
+  end
+
+  let_it_be(:group_where_direct_developer_but_developers_cannot_create_projects) { create(:group) }
+  let_it_be(:group_where_direct_developer) do
+    create(:group, project_creation_level: Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS)
+  end
+
+  let_it_be(:shared_with_group_where_direct_owner_as_owner) { create(:group) }
+
+  let_it_be(:shared_with_group_where_direct_owner_as_developer) do
+    create(:group, project_creation_level: Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS)
+  end
+
+  let_it_be(:shared_with_group_where_direct_owner_as_developer_but_developers_cannot_create_projects) do
+    create(:group)
+  end
+
+  let_it_be(:shared_with_group_where_direct_developer_as_maintainer) do
+    create(:group, project_creation_level: Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS)
+  end
+
+  let_it_be(:shared_with_group_where_direct_owner_as_guest) { create(:group) }
+  let_it_be(:shared_with_group_where_direct_owner_as_maintainer) { create(:group) }
+  let_it_be(:shared_with_group_where_direct_developer_as_owner) do
+    create(:group, project_creation_level: Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS)
+  end
+
+  let_it_be(:subgroup_of_shared_with_group_where_direct_owner_as_maintainer) do
+    create(:group, parent: shared_with_group_where_direct_owner_as_maintainer)
+  end
+
+  before do
+    group_where_direct_owner.add_owner(user)
+    group_where_direct_maintainer.add_maintainer(user)
+    group_where_direct_developer_but_developers_cannot_create_projects.add_developer(user)
+    group_where_direct_developer.add_developer(user)
+
+    create(:group_group_link, :owner,
+      shared_with_group: group_where_direct_owner,
+      shared_group: shared_with_group_where_direct_owner_as_owner
+    )
+
+    create(:group_group_link, :developer,
+      shared_with_group: group_where_direct_owner,
+      shared_group: shared_with_group_where_direct_owner_as_developer_but_developers_cannot_create_projects
+    )
+
+    create(:group_group_link, :maintainer,
+      shared_with_group: group_where_direct_developer,
+      shared_group: shared_with_group_where_direct_developer_as_maintainer
+    )
+
+    create(:group_group_link, :developer,
+      shared_with_group: group_where_direct_owner,
+      shared_group: shared_with_group_where_direct_owner_as_developer
+    )
+
+    create(:group_group_link, :guest,
+      shared_with_group: group_where_direct_owner,
+      shared_group: shared_with_group_where_direct_owner_as_guest
+    )
+
+    create(:group_group_link, :maintainer,
+      shared_with_group: group_where_direct_owner,
+      shared_group: shared_with_group_where_direct_owner_as_maintainer
+    )
+
+    create(:group_group_link, :owner,
+      shared_with_group: group_where_direct_developer_but_developers_cannot_create_projects,
+      shared_group: shared_with_group_where_direct_developer_as_owner
+    )
+  end
+
+  describe '#execute' do
+    subject(:result) { described_class.new(user).execute }
+
+    it 'only returns groups where the user has access to import projects' do
+      expect(result).to match_array([
+        group_where_direct_owner,
+        subgroup_of_group_where_direct_owner,
+        group_where_direct_maintainer,
+        # groups arising from group shares
+        shared_with_group_where_direct_owner_as_owner,
+        shared_with_group_where_direct_owner_as_maintainer,
+        subgroup_of_shared_with_group_where_direct_owner_as_maintainer
+      ])
+
+      expect(result).not_to include(group_where_direct_developer)
+      expect(result).not_to include(shared_with_group_where_direct_developer_as_owner)
+      expect(result).not_to include(shared_with_group_where_direct_developer_as_maintainer)
+      expect(result).not_to include(shared_with_group_where_direct_owner_as_developer)
+    end
+  end
+end
diff --git a/spec/finders/groups/user_groups_finder_spec.rb b/spec/finders/groups/user_groups_finder_spec.rb
index 999079468e5..f6df396037c 100644
--- a/spec/finders/groups/user_groups_finder_spec.rb
+++ b/spec/finders/groups/user_groups_finder_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Groups::UserGroupsFinder do
+RSpec.describe Groups::UserGroupsFinder, feature_category: :subgroups do
   describe '#execute' do
     let_it_be(:user) { create(:user) }
     let_it_be(:root_group) { create(:group, name: 'Root group', path: 'root-group') }
@@ -98,6 +98,24 @@ RSpec.describe Groups::UserGroupsFinder do
       end
     end
 
+    context 'when permission is :import_projects' do
+      let(:arguments) { { permission_scope: :import_projects } }
+
+      specify do
+        is_expected.to contain_exactly(
+          public_maintainer_group,
+          public_owner_group,
+          private_maintainer_group
+        )
+      end
+
+      it_behaves_like 'user group finder searching by name or path' do
+        let(:keyword_search_expected_groups) do
+          [public_maintainer_group]
+        end
+      end
+    end
+
     context 'when permission is :transfer_projects' do
       let(:arguments) { { permission_scope: :transfer_projects } }
 
diff --git a/spec/frontend/import_entities/components/group_dropdown_spec.js b/spec/frontend/import_entities/components/group_dropdown_spec.js
index b44bc33de6f..14f39a35387 100644
--- a/spec/frontend/import_entities/components/group_dropdown_spec.js
+++ b/spec/frontend/import_entities/components/group_dropdown_spec.js
@@ -6,7 +6,7 @@ import createMockApollo from 'helpers/mock_apollo_helper';
 import waitForPromises from 'helpers/wait_for_promises';
 import GroupDropdown from '~/import_entities/components/group_dropdown.vue';
 import { DEBOUNCE_DELAY } from '~/vue_shared/components/filtered_search_bar/constants';
-import searchNamespacesWhereUserCanCreateProjectsQuery from '~/projects/new/queries/search_namespaces_where_user_can_create_projects.query.graphql';
+import searchNamespacesWhereUserCanImportProjectsQuery from '~/import_entities/import_projects/graphql/queries/search_namespaces_where_user_can_import_projects.query.graphql';
 
 Vue.use(VueApollo);
 
@@ -49,7 +49,7 @@ describe('Import entities group dropdown component', () => {
 
   const createComponent = (propsData) => {
     const apolloProvider = createMockApollo([
-      [searchNamespacesWhereUserCanCreateProjectsQuery, () => SEARCH_NAMESPACES_MOCK],
+      [searchNamespacesWhereUserCanImportProjectsQuery, () => SEARCH_NAMESPACES_MOCK],
     ]);
 
     namespacesTracker = jest.fn();
diff --git a/spec/frontend/import_entities/import_groups/components/import_table_spec.js b/spec/frontend/import_entities/import_groups/components/import_table_spec.js
index 205218fdabd..05e93f354c4 100644
--- a/spec/frontend/import_entities/import_groups/components/import_table_spec.js
+++ b/spec/frontend/import_entities/import_groups/components/import_table_spec.js
@@ -15,7 +15,7 @@ import ImportTable from '~/import_entities/import_groups/components/import_table
 import importGroupsMutation from '~/import_entities/import_groups/graphql/mutations/import_groups.mutation.graphql';
 import PaginationBar from '~/vue_shared/components/pagination_bar/pagination_bar.vue';
 import PaginationLinks from '~/vue_shared/components/pagination_links.vue';
-import searchNamespacesWhereUserCanCreateProjectsQuery from '~/projects/new/queries/search_namespaces_where_user_can_create_projects.query.graphql';
+import searchNamespacesWhereUserCanImportProjectsQuery from '~/import_entities/import_projects/graphql/queries/search_namespaces_where_user_can_import_projects.query.graphql';
 
 import {
   AVAILABLE_NAMESPACES,
@@ -74,7 +74,7 @@ describe('import table', () => {
     apolloProvider = createMockApollo(
       [
         [
-          searchNamespacesWhereUserCanCreateProjectsQuery,
+          searchNamespacesWhereUserCanImportProjectsQuery,
           () => Promise.resolve(availableNamespacesFixture),
         ],
       ],
diff --git a/spec/frontend/import_entities/import_groups/components/import_target_cell_spec.js b/spec/frontend/import_entities/import_groups/components/import_target_cell_spec.js
index a524d9ebdb0..a957e85723f 100644
--- a/spec/frontend/import_entities/import_groups/components/import_target_cell_spec.js
+++ b/spec/frontend/import_entities/import_groups/components/import_target_cell_spec.js
@@ -8,7 +8,7 @@ import ImportGroupDropdown from '~/import_entities/components/group_dropdown.vue
 import { STATUSES } from '~/import_entities/constants';
 import ImportTargetCell from '~/import_entities/import_groups/components/import_target_cell.vue';
 import { DEBOUNCE_DELAY } from '~/vue_shared/components/filtered_search_bar/constants';
-import searchNamespacesWhereUserCanCreateProjectsQuery from '~/projects/new/queries/search_namespaces_where_user_can_create_projects.query.graphql';
+import searchNamespacesWhereUserCanImportProjectsQuery from '~/import_entities/import_projects/graphql/queries/search_namespaces_where_user_can_import_projects.query.graphql';
 
 import {
   generateFakeEntry,
@@ -42,7 +42,7 @@ describe('import target cell', () => {
   const createComponent = (props) => {
     apolloProvider = createMockApollo([
       [
-        searchNamespacesWhereUserCanCreateProjectsQuery,
+        searchNamespacesWhereUserCanImportProjectsQuery,
         () => Promise.resolve(availableNamespacesFixture),
       ],
     ]);
diff --git a/spec/frontend/projects/new/components/app_spec.js b/spec/frontend/projects/new/components/app_spec.js
index 5b2dc25077e..079bd41cd37 100644
--- a/spec/frontend/projects/new/components/app_spec.js
+++ b/spec/frontend/projects/new/components/app_spec.js
@@ -41,6 +41,22 @@ describe('Experimental new project creation app', () => {
     ).toBe(isCiCdAvailable);
   });
 
+  it.each`
+    canImportProjects | outcome
+    ${false}          | ${'do not show Import panel'}
+    ${true}           | ${'show Import panel'}
+  `('$outcome when canImportProjects is $canImportProjects', ({ canImportProjects }) => {
+    createComponent({
+      canImportProjects,
+    });
+
+    expect(
+      findNewNamespacePage()
+        .props()
+        .panels.some((p) => p.name === 'import_project'),
+    ).toBe(canImportProjects);
+  });
+
   it('creates correct breadcrumbs for top-level projects', () => {
     createComponent();
 
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 003ca2512dc..ad14c5c3f43 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -670,6 +670,124 @@ RSpec.describe GroupPolicy, feature_category: :system_access do
     end
   end
 
+  context 'import_projects' do
+    before do
+      group.update!(project_creation_level: project_creation_level)
+    end
+
+    context 'when group has no project creation level set' do
+      let(:project_creation_level) { nil }
+
+      context 'reporter' do
+        let(:current_user) { reporter }
+
+        it { is_expected.to be_disallowed(:import_projects) }
+      end
+
+      context 'developer' do
+        let(:current_user) { developer }
+
+        it { is_expected.to be_disallowed(:import_projects) }
+      end
+
+      context 'maintainer' do
+        let(:current_user) { maintainer }
+
+        it { is_expected.to be_allowed(:import_projects) }
+      end
+
+      context 'owner' do
+        let(:current_user) { owner }
+
+        it { is_expected.to be_allowed(:import_projects) }
+      end
+    end
+
+    context 'when group has project creation level set to no one' do
+      let(:project_creation_level) { ::Gitlab::Access::NO_ONE_PROJECT_ACCESS }
+
+      context 'reporter' do
+        let(:current_user) { reporter }
+
+        it { is_expected.to be_disallowed(:import_projects) }
+      end
+
+      context 'developer' do
+        let(:current_user) { developer }
+
+        it { is_expected.to be_disallowed(:import_projects) }
+      end
+
+      context 'maintainer' do
+        let(:current_user) { maintainer }
+
+        it { is_expected.to be_disallowed(:import_projects) }
+      end
+
+      context 'owner' do
+        let(:current_user) { owner }
+
+        it { is_expected.to be_disallowed(:import_projects) }
+      end
+    end
+
+    context 'when group has project creation level set to maintainer only' do
+      let(:project_creation_level) { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS }
+
+      context 'reporter' do
+        let(:current_user) { reporter }
+
+        it { is_expected.to be_disallowed(:import_projects) }
+      end
+
+      context 'developer' do
+        let(:current_user) { developer }
+
+        it { is_expected.to be_disallowed(:import_projects) }
+      end
+
+      context 'maintainer' do
+        let(:current_user) { maintainer }
+
+        it { is_expected.to be_allowed(:import_projects) }
+      end
+
+      context 'owner' do
+        let(:current_user) { owner }
+
+        it { is_expected.to be_allowed(:import_projects) }
+      end
+    end
+
+    context 'when group has project creation level set to developers + maintainer' do
+      let(:project_creation_level) { ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS }
+
+      context 'reporter' do
+        let(:current_user) { reporter }
+
+        it { is_expected.to be_disallowed(:import_projects) }
+      end
+
+      context 'developer' do
+        let(:current_user) { developer }
+
+        it { is_expected.to be_disallowed(:import_projects) }
+      end
+
+      context 'maintainer' do
+        let(:current_user) { maintainer }
+
+        it { is_expected.to be_allowed(:import_projects) }
+      end
+
+      context 'owner' do
+        let(:current_user) { owner }
+
+        it { is_expected.to be_allowed(:import_projects) }
+      end
+    end
+  end
+
   context 'create_subgroup' do
     context 'when group has subgroup creation level set to owner' do
       before do
diff --git a/spec/policies/namespaces/user_namespace_policy_spec.rb b/spec/policies/namespaces/user_namespace_policy_spec.rb
index bb821490e30..3488f33f15c 100644
--- a/spec/policies/namespaces/user_namespace_policy_spec.rb
+++ b/spec/policies/namespaces/user_namespace_policy_spec.rb
@@ -2,13 +2,13 @@
 
 require 'spec_helper'
 
-RSpec.describe Namespaces::UserNamespacePolicy do
+RSpec.describe Namespaces::UserNamespacePolicy, feature_category: :subgroups do
   let_it_be(:user) { create(:user) }
   let_it_be(:owner) { create(:user) }
   let_it_be(:admin) { create(:admin) }
   let_it_be(:namespace) { create(:user_namespace, owner: owner) }
 
-  let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package, :read_billing, :edit_billing] }
+  let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects, :admin_package, :read_billing, :edit_billing, :import_projects] }
 
   subject { described_class.new(current_user, namespace) }
 
@@ -34,6 +34,7 @@ RSpec.describe Namespaces::UserNamespacePolicy do
 
       it { is_expected.to be_disallowed(:create_projects) }
       it { is_expected.to be_disallowed(:transfer_projects) }
+      it { is_expected.to be_disallowed(:import_projects) }
     end
 
     context 'bot user' do
@@ -41,6 +42,7 @@ RSpec.describe Namespaces::UserNamespacePolicy do
 
       it { is_expected.to be_disallowed(:create_projects) }
       it { is_expected.to be_disallowed(:transfer_projects) }
+      it { is_expected.to be_disallowed(:import_projects) }
     end
   end
 
@@ -103,4 +105,26 @@ RSpec.describe Namespaces::UserNamespacePolicy do
       it { is_expected.to be_disallowed(:create_projects) }
     end
   end
+
+  describe 'import projects' do
+    context 'when user can import projects' do
+      let(:current_user) { owner }
+
+      before do
+        allow(current_user).to receive(:can_import_project?).and_return(true)
+      end
+
+      it { is_expected.to be_allowed(:import_projects) }
+    end
+
+    context 'when user cannot create projects' do
+      let(:current_user) { user }
+
+      before do
+        allow(current_user).to receive(:can_import_project?).and_return(false)
+      end
+
+      it { is_expected.to be_disallowed(:import_projects) }
+    end
+  end
 end
diff --git a/spec/requests/import/gitlab_projects_controller_spec.rb b/spec/requests/import/gitlab_projects_controller_spec.rb
index b2c2d306e53..fe3ea9e9c9e 100644
--- a/spec/requests/import/gitlab_projects_controller_spec.rb
+++ b/spec/requests/import/gitlab_projects_controller_spec.rb
@@ -90,4 +90,16 @@ RSpec.describe Import::GitlabProjectsController, feature_category: :importers do
       subject { post authorize_import_gitlab_project_path, headers: workhorse_headers }
     end
   end
+
+  describe 'GET new' do
+    context 'when the user is not allowed to import projects' do
+      let!(:group) { create(:group).tap { |group| group.add_developer(user) } }
+
+      it 'returns 404' do
+        get new_import_gitlab_project_path, params: { namespace_id: group.id }
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
 end
diff --git a/spec/services/import/bitbucket_server_service_spec.rb b/spec/services/import/bitbucket_server_service_spec.rb
index aea6c45b3a8..ca554fb01c3 100644
--- a/spec/services/import/bitbucket_server_service_spec.rb
+++ b/spec/services/import/bitbucket_server_service_spec.rb
@@ -93,7 +93,7 @@ RSpec.describe Import::BitbucketServerService, feature_category: :importers do
       result = subject.execute(credentials)
 
       expect(result).to include(
-        message: "You don't have permissions to create this project",
+        message: "You don't have permissions to import this project",
         status: :error,
         http_status: :unauthorized
       )
diff --git a/spec/services/import/fogbugz_service_spec.rb b/spec/services/import/fogbugz_service_spec.rb
index 6953213add7..ad02dc31da1 100644
--- a/spec/services/import/fogbugz_service_spec.rb
+++ b/spec/services/import/fogbugz_service_spec.rb
@@ -61,7 +61,7 @@ RSpec.describe Import::FogbugzService, feature_category: :importers do
       result = subject.execute(credentials)
 
       expect(result).to include(
-        message: "You don't have permissions to create this project",
+        message: "You don't have permissions to import this project",
         status: :error,
         http_status: :unauthorized
       )
diff --git a/spec/services/import/github_service_spec.rb b/spec/services/import/github_service_spec.rb
index 5d762568a62..a8928fb5c09 100644
--- a/spec/services/import/github_service_spec.rb
+++ b/spec/services/import/github_service_spec.rb
@@ -291,7 +291,7 @@ RSpec.describe Import::GithubService, feature_category: :importers do
     {
       status: :error,
       http_status: :unprocessable_entity,
-      message: 'This namespace has already been taken. Choose a different one.'
+      message: 'You are not allowed to import projects in this namespace.'
     }
   end
 end
diff --git a/spec/services/projects/create_service_spec.rb b/spec/services/projects/create_service_spec.rb
index e435db4efa6..24e52e6ea67 100644
--- a/spec/services/projects/create_service_spec.rb
+++ b/spec/services/projects/create_service_spec.rb
@@ -254,6 +254,23 @@ RSpec.describe Projects::CreateService, '#execute', feature_category: :projects
     end
 
     it_behaves_like 'has sync-ed traversal_ids'
+
+    context 'when project is an import' do
+      context 'when user is not allowed to import projects' do
+        let(:group) do
+          create(:group).tap do |group|
+            group.add_developer(user)
+          end
+        end
+
+        it 'does not create the project' do
+          project = create_project(user, opts.merge!(namespace_id: group.id, import_type: 'gitlab_project'))
+
+          expect(project).not_to be_persisted
+          expect(project.errors.messages[:user].first).to eq('is not allowed to import projects')
+        end
+      end
+    end
   end
 
   context 'group sharing', :sidekiq_inline do
diff --git a/spec/support/shared_examples/controllers/githubish_import_controller_shared_examples.rb b/spec/support/shared_examples/controllers/githubish_import_controller_shared_examples.rb
index de38d1ff9f8..af1843bae28 100644
--- a/spec/support/shared_examples/controllers/githubish_import_controller_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/githubish_import_controller_shared_examples.rb
@@ -138,6 +138,19 @@ RSpec.shared_examples 'a GitHub-ish import controller: GET status' do
       .not_to exceed_all_query_limit(control_count)
   end
 
+  context 'when user is not allowed to import projects' do
+    let(:user) { create(:user) }
+    let!(:group) { create(:group).tap { |group| group.add_developer(user) } }
+
+    it 'returns 404' do
+      expect(stub_client(repos: [], orgs: [])).to receive(:repos)
+
+      get :status, params: { namespace_id: group.id }, format: :html
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+  end
+
   context 'when filtering' do
     let(:repo_2) { repo_fake.new(login: 'emacs', full_name: 'asd/emacs', name: 'emacs', owner: { login: 'owner' }) }
     let(:project) { create(:project, import_type: provider, namespace: user.namespace, import_status: :finished, import_source: 'example/repo') }
diff --git a/spec/support/shared_examples/controllers/import_controller_status_shared_examples.rb b/spec/support/shared_examples/controllers/import_controller_status_shared_examples.rb
index 44baadaaade..e94f063399d 100644
--- a/spec/support/shared_examples/controllers/import_controller_status_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/import_controller_status_shared_examples.rb
@@ -19,4 +19,26 @@ RSpec.shared_examples 'import controller status' do
     expect(json_response.dig("imported_projects", 0, "id")).to eq(project.id)
     expect(json_response.dig("provider_repos", 0, "id")).to eq(repo_id)
   end
+
+  context 'when format is html' do
+    context 'when namespace_id is present' do
+      let!(:developer_group) { create(:group).tap { |g| g.add_developer(user) } }
+
+      context 'when user cannot import projects' do
+        it 'returns 404' do
+          get :status, params: { namespace_id: developer_group.id }, format: :html
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      context 'when user can import projects' do
+        it 'returns 200' do
+          get :status, params: { namespace_id: group.id }, format: :html
+
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
+    end
+  end
 end