diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-26 17:29:44 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-26 17:29:44 +0300 |
| commit | e9f6b3e0425707e9ce3b807a25d2da17fff2028d (patch) | |
| tree | d0740952f492fb3c3a8c7b12c3a511fd08e2c2ea | |
| parent | 631b4cefcb4dcd99549eba0678389699c5ef1839 (diff) | |
Add latest changes from gitlab-org/security/gitlab@12-9-stable-ee
| -rw-r--r-- | app/controllers/concerns/membership_actions.rb | 12 | ||||
| -rw-r--r-- | changelogs/unreleased/security-forked-from.yml | 5 | ||||
| -rw-r--r-- | lib/api/projects.rb | 2 | ||||
| -rw-r--r-- | locale/gitlab.pot | 6 | ||||
| -rw-r--r-- | spec/requests/api/projects_spec.rb | 11 |
5 files changed, 33 insertions, 3 deletions
diff --git a/app/controllers/concerns/membership_actions.rb b/app/controllers/concerns/membership_actions.rb index 1cf9046e30f..4ab02005b45 100644 --- a/app/controllers/concerns/membership_actions.rb +++ b/app/controllers/concerns/membership_actions.rb @@ -53,10 +53,16 @@ module MembershipActions end def request_access - membershipable.request_access(current_user) + access_requester = membershipable.request_access(current_user) - redirect_to polymorphic_path(membershipable), - notice: _('Your request for access has been queued for review.') + if access_requester.persisted? + redirect_to polymorphic_path(membershipable), + notice: _('Your request for access has been queued for review.') + else + redirect_to polymorphic_path(membershipable), + alert: _("Your request for access could not be processed: %{error_meesage}") % + { error_meesage: access_requester.errors.full_messages.to_sentence } + end end def approve_access_request diff --git a/changelogs/unreleased/security-forked-from.yml b/changelogs/unreleased/security-forked-from.yml new file mode 100644 index 00000000000..77550193533 --- /dev/null +++ b/changelogs/unreleased/security-forked-from.yml @@ -0,0 +1,5 @@ +--- +title: Check forked project permissions before allowing fork +merge_request: +author: +type: security diff --git a/lib/api/projects.rb b/lib/api/projects.rb index 3717e25d997..a605160209e 100644 --- a/lib/api/projects.rb +++ b/lib/api/projects.rb @@ -441,6 +441,8 @@ module API not_found!("Source Project") unless fork_from_project + authorize! :fork_project, fork_from_project + result = ::Projects::ForkService.new(fork_from_project, current_user).execute(user_project) if result diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 39b77fc0aad..f0cb51989c9 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -23371,6 +23371,9 @@ msgstr "" msgid "Your projects" msgstr "" +msgid "Your request for access could not be processed: %{error_meesage}" +msgstr "" + msgid "Your request for access has been queued for review." msgstr "" @@ -23767,6 +23770,9 @@ msgstr "" msgid "email '%{email}' does not match the allowed domain of '%{email_domain}'" msgstr "" +msgid "email '%{email}' is not a verified email." +msgstr "" + msgid "enabled" msgstr "" diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index 83f678ad2cb..8d0b9f88274 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -1874,6 +1874,17 @@ describe API::Projects do expect(project_fork_target).to be_forked end + it 'fails without permission from forked_from project' do + project_fork_source.project_feature.update_attribute(:forking_access_level, ProjectFeature::PRIVATE) + + post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", user) + + expect(response).to have_gitlab_http_status(:forbidden) + expect(project_fork_target.forked_from_project).to be_nil + expect(project_fork_target.fork_network_member).not_to be_present + expect(project_fork_target).not_to be_forked + end + it 'denies project to be forked from a private project' do post api("/projects/#{project_fork_target.id}/fork/#{private_project_fork_source.id}", user) |