summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--CHANGELOG3
-rw-r--r--app/controllers/projects/project_members_controller.rb9
-rw-r--r--spec/controllers/projects/project_members_controller_spec.rb49
3 files changed, 59 insertions, 2 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 39239bebcfb..362a571bb4f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -20,6 +20,9 @@ v 8.7.0 (unreleased)
- Fall back to `In-Reply-To` and `References` headers when sub-addressing is not available (David Padilla)
- Remove "Congratulations!" tweet button on newly-created project. (Connor Shea)
+v 8.6.5 (unreleased)
+ - Check permissions when user attempts to import members from another project
+
v 8.6.4
- Don't attempt to fetch any tags from a forked repo (Stan Hu)
diff --git a/app/controllers/projects/project_members_controller.rb b/app/controllers/projects/project_members_controller.rb
index e7bddc4a6f1..cd984f03c6b 100644
--- a/app/controllers/projects/project_members_controller.rb
+++ b/app/controllers/projects/project_members_controller.rb
@@ -95,8 +95,13 @@ class Projects::ProjectMembersController < Projects::ApplicationController
def apply_import
giver = Project.find(params[:source_project_id])
- status = @project.team.import(giver, current_user)
- notice = status ? "Successfully imported" : "Import failed"
+
+ if current_user.can?(:read_project_member, giver)
+ status = @project.team.import(giver, current_user)
+ notice = status ? "Successfully imported" : "Import failed"
+ else
+ notice = 'You are not authorized to import members from this project'
+ end
redirect_to(namespace_project_project_members_path(project.namespace, project),
notice: notice)
diff --git a/spec/controllers/projects/project_members_controller_spec.rb b/spec/controllers/projects/project_members_controller_spec.rb
new file mode 100644
index 00000000000..6d1df8d9fbe
--- /dev/null
+++ b/spec/controllers/projects/project_members_controller_spec.rb
@@ -0,0 +1,49 @@
+require('spec_helper')
+
+describe Projects::ProjectMembersController do
+ let(:project) { create(:project) }
+ let(:another_project) { create(:project, :private) }
+ let(:user) { create(:user) }
+ let(:member) { create(:user) }
+
+ before do
+ project.team << [user, :master]
+ another_project.team << [member, :guest]
+ sign_in(user)
+ end
+
+ describe '#apply_import' do
+ shared_context 'import applied' do
+ before do
+ post(:apply_import, namespace_id: project.namespace.to_param,
+ project_id: project.to_param,
+ source_project_id: another_project.id)
+ end
+ end
+
+ context 'when user can access source project members' do
+ before { another_project.team << [user, :guest] }
+ include_context 'import applied'
+
+ it 'imports source project members' do
+ expect(project.team_members).to include member
+ expect(response).to set_flash.to 'Successfully imported'
+ expect(response).to redirect_to(
+ namespace_project_project_members_path(project.namespace, project)
+ )
+ end
+ end
+
+ context 'when user is not member of a source project' do
+ include_context 'import applied'
+
+ it 'does not import team members' do
+ expect(project.team_members).to_not include member
+ end
+
+ it 'notifies about invalid permissions' do
+ expect(response).to set_flash.to /not authorized/
+ end
+ end
+ end
+end
View Lorry Controller Status