11 files changed, 27 insertions, 16 deletions

diff --git a/app/models/project.rb b/app/models/project.rb
index 7c10ab35431..3352959a53d 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -969,8 +969,9 @@ class Project < ActiveRecord::Base
   end
 
   def visibility_level_allowed?(level = self.visibility_level)
-    allowed_by_forks =  if forked?
-                          Gitlab::VisibilityLevel.allowed_fork_levels(forked_from_project.visibility_level).include?(level)
+    allowed_by_forks =  if forked? && forked_project_link.forked_from_project_id.present?
+                          from_project = eager_load_forked_from_project
+                          Gitlab::VisibilityLevel.allowed_fork_levels(from_project.visibility_level).include?(level)
                         else
                           true
                         end
@@ -980,6 +981,11 @@ class Project < ActiveRecord::Base
     allowed_by_forks && allowed_by_groups
   end
 
+  #Necessary to retrieve many-to-many associations on new forks before validating visibility level
+  def eager_load_forked_from_project
+    Project.find(forked_project_link.forked_from_project_id)
+  end
+
   def runners_token
     ensure_runners_token!
   end
diff --git a/app/services/projects/create_service.rb b/app/services/projects/create_service.rb
index cebfc432002..c4b8420f9f2 100644
--- a/app/services/projects/create_service.rb
+++ b/app/services/projects/create_service.rb
@@ -10,7 +10,10 @@ module Projects
       @project = Project.new(params)
 
       # Make sure that the user is allowed to use the specified visibility level
-      return @project unless visibility_level_allowed?
+      unless visibility_level_allowed?
+        deny_visibility_level(@project)
+        return @project
+      end
 
       # Set project name from path
       if @project.name.present? && @project.path.present?
diff --git a/features/steps/shared/group.rb b/features/steps/shared/group.rb
index fe6736dacd4..ca32faa3159 100644
--- a/features/steps/shared/group.rb
+++ b/features/steps/shared/group.rb
@@ -38,7 +38,7 @@ module SharedGroup
   def is_member_of(username, groupname, role)
     @project_count ||= 0
     user = User.find_by(name: username) || create(:user, name: username)
-    group = Group.find_by(name: groupname) || create(:group, name: groupname)
+    group = Group.find_by(name: groupname) || create(:group, name: groupname, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
     group.add_user(user, role)
     project ||= create(:project, namespace: group, path: "project#{@project_count}")
     create(:closed_issue_event, project: project)
@@ -47,6 +47,6 @@ module SharedGroup
   end
 
   def owned_group
-    @owned_group ||= Group.find_by(name: "Owned")
+    @owned_group ||= Group.find_by(name: "Owned", visibility_level: Gitlab::VisibilityLevel::PUBLIC)
   end
 end
diff --git a/spec/controllers/namespaces_controller_spec.rb b/spec/controllers/namespaces_controller_spec.rb
index 77436958711..6350c9c6e48 100644
--- a/spec/controllers/namespaces_controller_spec.rb
+++ b/spec/controllers/namespaces_controller_spec.rb
@@ -15,7 +15,7 @@ describe NamespacesController do
     end
 
     context "when the namespace belongs to a group" do
-      let!(:group) { create(:group) }
+      let!(:group)   { create(:group, visibility_level: Gitlab::VisibilityLevel::PUBLIC) }
       let!(:project) { create(:project, namespace: group) }
 
       context "when the group has public projects" do
diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb
index af5d043cf02..bf5b13f2645 100644
--- a/spec/controllers/uploads_controller_spec.rb
+++ b/spec/controllers/uploads_controller_spec.rb
@@ -30,7 +30,7 @@ describe UploadsController do
           end
         end
       end
-      
+
       context "when not signed in" do
         it "responds with status 200" do
           get :show, model: "user", mounted_as: "avatar", id: user.id, filename: "image.png"
@@ -126,11 +126,12 @@ describe UploadsController do
     end
 
     context "when viewing a group avatar" do
-      let!(:group) { create(:group, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }
+      let!(:group)   { create(:group, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }
       let!(:project) { create(:project, namespace: group) }
 
       context "when the group has public projects" do
         before do
+          group.update_attribute(:visibility_level, Gitlab::VisibilityLevel::PUBLIC)
           project.update_attribute(:visibility_level, Project::PUBLIC)
         end
 
diff --git a/spec/features/projects_spec.rb b/spec/features/projects_spec.rb
index ed97b6cb577..e54a5a0b72a 100644
--- a/spec/features/projects_spec.rb
+++ b/spec/features/projects_spec.rb
@@ -12,25 +12,25 @@ feature 'Project', feature: true do
     it 'parses Markdown' do
       project.update_attribute(:description, 'This is **my** project')
       visit path
-      expect(page).to have_css('.project-home-desc > p > strong')
+      expect(page).to have_css('.cover-title > p > strong')
     end
 
     it 'passes through html-pipeline' do
       project.update_attribute(:description, 'This project is the :poop:')
       visit path
-      expect(page).to have_css('.project-home-desc > p > img')
+      expect(page).to have_css('.cover-title > p > img')
     end
 
     it 'sanitizes unwanted tags' do
       project.update_attribute(:description, "```\ncode\n```")
       visit path
-      expect(page).not_to have_css('.project-home-desc code')
+      expect(page).not_to have_css('.cover-title code')
     end
 
     it 'permits `rel` attribute on links' do
       project.update_attribute(:description, 'https://google.com/')
       visit path
-      expect(page).to have_css('.project-home-desc a[rel]')
+      expect(page).to have_css('.cover-title a[rel]')
     end
   end
 
diff --git a/spec/features/security/group_access_spec.rb b/spec/features/security/group_access_spec.rb
index 0194581dfd1..55bbeafba33 100644
--- a/spec/features/security/group_access_spec.rb
+++ b/spec/features/security/group_access_spec.rb
@@ -4,7 +4,7 @@ describe 'Group access', feature: true do
   include AccessMatchers
 
   def group
-    @group ||= create(:group)
+    @group ||= create(:group, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
   end
 
   def create_project(access_level)
diff --git a/spec/finders/projects_finder_spec.rb b/spec/finders/projects_finder_spec.rb
index fae0da9d898..194c9543772 100644
--- a/spec/finders/projects_finder_spec.rb
+++ b/spec/finders/projects_finder_spec.rb
@@ -3,7 +3,7 @@ require 'spec_helper'
 describe ProjectsFinder do
   describe '#execute' do
     let(:user) { create(:user) }
-    let(:group) { create(:group) }
+    let(:group) { create(:group, visibility_level: Gitlab::VisibilityLevel::PUBLIC) }
 
     let!(:private_project) do
       create(:project, :private, name: 'A', path: 'A')
diff --git a/spec/finders/snippets_finder_spec.rb b/spec/finders/snippets_finder_spec.rb
index 7fdc5e5d7aa..b8940483dfb 100644
--- a/spec/finders/snippets_finder_spec.rb
+++ b/spec/finders/snippets_finder_spec.rb
@@ -3,7 +3,7 @@ require 'spec_helper'
 describe SnippetsFinder do
   let(:user) { create :user }
   let(:user1) { create :user }
-  let(:group) { create :group }
+  let(:group) { create :group, visibility_level: Gitlab::VisibilityLevel::PUBLIC }
 
   let(:project1) { create(:empty_project, :public,  group: group) }
   let(:project2) { create(:empty_project, :private, group: group) }
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 74383204250..dba7ffc8565 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -442,7 +442,7 @@ describe Project, models: true do
   end
 
   describe '.trending' do
-    let(:group)    { create(:group) }
+    let(:group)    { create(:group, :public) }
     let(:project1) { create(:empty_project, :public, group: group) }
     let(:project2) { create(:empty_project, :public, group: group) }
 
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index a6699cdc81c..a5d4985dc78 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -275,6 +275,7 @@ describe API::API, api: true  do
 
       it 'should not allow a non-admin to use a restricted visibility level' do
         post api('/projects', user), @project
+
         expect(response.status).to eq(400)
         expect(json_response['message']['visibility_level'].first).to(
           match('restricted by your GitLab administrator')