Merge branch 'security-fix-leaking-namespace-name' into 'security'

Check that user has access to a given namespace to prevent leaking namespace names.

See merge request !2009

2 files changed, 4 insertions, 4 deletions

diff --git a/app/controllers/import/gitlab_projects_controller.rb b/app/controllers/import/gitlab_projects_controller.rb
index 3ec173abcdb..36d246d185b 100644
--- a/app/controllers/import/gitlab_projects_controller.rb
+++ b/app/controllers/import/gitlab_projects_controller.rb
@@ -2,8 +2,8 @@ class Import::GitlabProjectsController < Import::BaseController
   before_action :verify_gitlab_project_import_enabled
 
   def new
-    @namespace_id = project_params[:namespace_id]
-    @namespace_name = Namespace.find(project_params[:namespace_id]).name
+    @namespace = Namespace.find(project_params[:namespace_id])
+    return render_404 unless current_user.can?(:create_projects, @namespace)
     @path = project_params[:path]
   end
 
diff --git a/app/views/import/gitlab_projects/new.html.haml b/app/views/import/gitlab_projects/new.html.haml
index 44e2653ca4a..767dffb5589 100644
--- a/app/views/import/gitlab_projects/new.html.haml
+++ b/app/views/import/gitlab_projects/new.html.haml
@@ -9,12 +9,12 @@
   %p
     Project will be imported as
     %strong
-      #{@namespace_name}/#{@path}
+      #{@namespace.name}/#{@path}
 
   %p
     To move or copy an entire GitLab project from another GitLab installation to this one, navigate to the original project's settings page, generate an export file, and upload it here.
   .form-group
-    = hidden_field_tag :namespace_id, @namespace_id
+    = hidden_field_tag :namespace_id, @namespace.id
     = hidden_field_tag :path, @path
     = label_tag :file, class: 'control-label' do
       %span GitLab project export