Add latest changes from gitlab-org/security/gitlab@16-1-stable-ee

2 files changed, 42 insertions, 3 deletions

diff --git a/app/controllers/import/github_controller.rb b/app/controllers/import/github_controller.rb
index 41477519ba5..12210afd44a 100644
--- a/app/controllers/import/github_controller.rb
+++ b/app/controllers/import/github_controller.rb
@@ -7,6 +7,8 @@ class Import::GithubController < Import::BaseController
   include ActionView::Helpers::SanitizeHelper
   include Import::GithubOauth
 
+  before_action :authorize_owner_access!, except: [:new, :callback, :personal_access_token, :status, :details, :create,
+    :realtime_changes, :cancel_all, :counts]
   before_action :verify_import_enabled
   before_action :provider_auth, only: [:status, :realtime_changes, :create]
   before_action :expire_etag_cache, only: [:status, :create]
@@ -92,8 +94,6 @@ class Import::GithubController < Import::BaseController
   end
 
   def failures
-    project = Project.imported_from(provider_name).find(params[:project_id])
-
     unless project.import_finished?
       return render status: :bad_request, json: {
         message: _('The import is not complete.')
@@ -107,7 +107,6 @@ class Import::GithubController < Import::BaseController
   end
 
   def cancel
-    project = Project.imported_from(provider_name).find(params[:project_id])
     result = Import::Github::CancelProjectImportService.new(project, current_user).execute
 
     if result[:status] == :success
@@ -168,6 +167,14 @@ class Import::GithubController < Import::BaseController
 
   private
 
+  def project
+    @project ||= Project.imported_from(provider_name).find(params[:project_id])
+  end
+
+  def authorize_owner_access!
+    return render_404 unless current_user.can?(:owner_access, project)
+  end
+
   def import_params
     params.permit(permitted_import_params)
   end
diff --git a/spec/controllers/import/github_controller_spec.rb b/spec/controllers/import/github_controller_spec.rb
index fdc0ddda9f4..bf56043a496 100644
--- a/spec/controllers/import/github_controller_spec.rb
+++ b/spec/controllers/import/github_controller_spec.rb
@@ -395,6 +395,12 @@ RSpec.describe Import::GithubController, feature_category: :importers do
       )
     end
 
+    let(:user) { project.owner }
+
+    before do
+      sign_in(user)
+    end
+
     context 'when import is not finished' do
       it 'return bad_request' do
         get :failures, params: { project_id: project.id }
@@ -434,6 +440,16 @@ RSpec.describe Import::GithubController, feature_category: :importers do
         expect(json_response.first['title']).to eq(issue_title)
       end
     end
+
+    context 'when signed user is not the owner' do
+      let(:user) { create(:user) }
+
+      it 'renders 404' do
+        get :failures, params: { project_id: project.id }
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
   end
 
   describe "POST cancel" do
@@ -444,6 +460,12 @@ RSpec.describe Import::GithubController, feature_category: :importers do
       )
     end
 
+    let(:user) { project.owner }
+
+    before do
+      sign_in(user)
+    end
+
     context 'when project import was canceled' do
       before do
         allow(Import::Github::CancelProjectImportService)
@@ -476,6 +498,16 @@ RSpec.describe Import::GithubController, feature_category: :importers do
         expect(json_response['errors']).to eq('The import cannot be canceled because it is finished')
       end
     end
+
+    context 'when signed user is not the owner' do
+      let(:user) { create(:user) }
+
+      it 'renders 404' do
+        post :cancel, params: { project_id: project.id }
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
   end
 
   describe 'POST cancel_all' do