diff options
| -rw-r--r-- | app/controllers/concerns/membership_actions.rb | 12 | ||||
| -rw-r--r-- | changelogs/unreleased/security-forked-from.yml | 5 | ||||
| -rw-r--r-- | lib/api/projects.rb | 2 | ||||
| -rw-r--r-- | locale/gitlab.pot | 6 | ||||
| -rw-r--r-- | spec/requests/api/projects_spec.rb | 11 |
5 files changed, 33 insertions, 3 deletions
diff --git a/app/controllers/concerns/membership_actions.rb b/app/controllers/concerns/membership_actions.rb index 1cf9046e30f..4ab02005b45 100644 --- a/app/controllers/concerns/membership_actions.rb +++ b/app/controllers/concerns/membership_actions.rb @@ -53,10 +53,16 @@ module MembershipActions end def request_access - membershipable.request_access(current_user) + access_requester = membershipable.request_access(current_user) - redirect_to polymorphic_path(membershipable), - notice: _('Your request for access has been queued for review.') + if access_requester.persisted? + redirect_to polymorphic_path(membershipable), + notice: _('Your request for access has been queued for review.') + else + redirect_to polymorphic_path(membershipable), + alert: _("Your request for access could not be processed: %{error_meesage}") % + { error_meesage: access_requester.errors.full_messages.to_sentence } + end end def approve_access_request diff --git a/changelogs/unreleased/security-forked-from.yml b/changelogs/unreleased/security-forked-from.yml new file mode 100644 index 00000000000..77550193533 --- /dev/null +++ b/changelogs/unreleased/security-forked-from.yml @@ -0,0 +1,5 @@ +--- +title: Check forked project permissions before allowing fork +merge_request: +author: +type: security diff --git a/lib/api/projects.rb b/lib/api/projects.rb index ee0731a331f..7c6a8e5d754 100644 --- a/lib/api/projects.rb +++ b/lib/api/projects.rb @@ -444,6 +444,8 @@ module API not_found!("Source Project") unless fork_from_project + authorize! :fork_project, fork_from_project + result = ::Projects::ForkService.new(fork_from_project, current_user).execute(user_project) if result diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 18cde86f956..4726f0e941d 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -24201,6 +24201,9 @@ msgstr "" msgid "Your projects" msgstr "" +msgid "Your request for access could not be processed: %{error_meesage}" +msgstr "" + msgid "Your request for access has been queued for review." msgstr "" @@ -24618,6 +24621,9 @@ msgstr "" msgid "email '%{email}' does not match the allowed domain of '%{email_domain}'" msgstr "" +msgid "email '%{email}' is not a verified email." +msgstr "" + msgid "enabled" msgstr "" diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index 853155cea7a..1332aee7bf3 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -1891,6 +1891,17 @@ describe API::Projects do expect(project_fork_target).to be_forked end + it 'fails without permission from forked_from project' do + project_fork_source.project_feature.update_attribute(:forking_access_level, ProjectFeature::PRIVATE) + + post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", user) + + expect(response).to have_gitlab_http_status(:forbidden) + expect(project_fork_target.forked_from_project).to be_nil + expect(project_fork_target.fork_network_member).not_to be_present + expect(project_fork_target).not_to be_forked + end + it 'denies project to be forked from a private project' do post api("/projects/#{project_fork_target.id}/fork/#{private_project_fork_source.id}", user) |