summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--app/controllers/concerns/membership_actions.rb12
-rw-r--r--changelogs/unreleased/security-forked-from.yml5
-rw-r--r--lib/api/projects.rb2
-rw-r--r--locale/gitlab.pot6
-rw-r--r--spec/requests/api/projects_spec.rb11
5 files changed, 33 insertions, 3 deletions
diff --git a/app/controllers/concerns/membership_actions.rb b/app/controllers/concerns/membership_actions.rb
index 1cf9046e30f..4ab02005b45 100644
--- a/app/controllers/concerns/membership_actions.rb
+++ b/app/controllers/concerns/membership_actions.rb
@@ -53,10 +53,16 @@ module MembershipActions
end
def request_access
- membershipable.request_access(current_user)
+ access_requester = membershipable.request_access(current_user)
- redirect_to polymorphic_path(membershipable),
- notice: _('Your request for access has been queued for review.')
+ if access_requester.persisted?
+ redirect_to polymorphic_path(membershipable),
+ notice: _('Your request for access has been queued for review.')
+ else
+ redirect_to polymorphic_path(membershipable),
+ alert: _("Your request for access could not be processed: %{error_meesage}") %
+ { error_meesage: access_requester.errors.full_messages.to_sentence }
+ end
end
def approve_access_request
diff --git a/changelogs/unreleased/security-forked-from.yml b/changelogs/unreleased/security-forked-from.yml
new file mode 100644
index 00000000000..77550193533
--- /dev/null
+++ b/changelogs/unreleased/security-forked-from.yml
@@ -0,0 +1,5 @@
+---
+title: Check forked project permissions before allowing fork
+merge_request:
+author:
+type: security
diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index 732453cf1c4..f305da681c4 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -444,6 +444,8 @@ module API
not_found!("Source Project") unless fork_from_project
+ authorize! :fork_project, fork_from_project
+
result = ::Projects::ForkService.new(fork_from_project, current_user).execute(user_project)
if result
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index c7c41e9a5e0..0c23bd3124e 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -25266,6 +25266,9 @@ msgstr ""
msgid "Your projects"
msgstr ""
+msgid "Your request for access could not be processed: %{error_meesage}"
+msgstr ""
+
msgid "Your request for access has been queued for review."
msgstr ""
@@ -25704,6 +25707,9 @@ msgstr ""
msgid "email '%{email}' does not match the allowed domain of '%{email_domain}'"
msgstr ""
+msgid "email '%{email}' is not a verified email."
+msgstr ""
+
msgid "enabled"
msgstr ""
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index 0deff138e2e..3abcf1cb7ed 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -1891,6 +1891,17 @@ describe API::Projects do
expect(project_fork_target).to be_forked
end
+ it 'fails without permission from forked_from project' do
+ project_fork_source.project_feature.update_attribute(:forking_access_level, ProjectFeature::PRIVATE)
+
+ post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", user)
+
+ expect(response).to have_gitlab_http_status(:forbidden)
+ expect(project_fork_target.forked_from_project).to be_nil
+ expect(project_fork_target.fork_network_member).not_to be_present
+ expect(project_fork_target).not_to be_forked
+ end
+
it 'denies project to be forked from a private project' do
post api("/projects/#{project_fork_target.id}/fork/#{private_project_fork_source.id}", user)