Merge branch 'security-developer-transfer-project-12-2' into '12-2-stable'

Require Maintainer permission on group where project is transferred to

See merge request gitlab/gitlabhq!3473

3 files changed, 5 insertions, 1 deletions

diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index c686e7763bb..987f252546d 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -124,6 +124,8 @@ class GroupPolicy < BasePolicy
   rule { developer & developer_maintainer_access }.enable :create_projects
   rule { create_projects_disabled }.prevent :create_projects
 
+  rule { maintainer & can?(:create_projects) }.enable :transfer_projects
+
   def access_level
     return GroupMember::NO_ACCESS if @user.nil?
 
diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb
index 2babcb0a2d9..926a8b7264d 100644
--- a/app/policies/namespace_policy.rb
+++ b/app/policies/namespace_policy.rb
@@ -14,4 +14,6 @@ class NamespacePolicy < BasePolicy
   end
 
   rule { personal_project & ~can_create_personal_project }.prevent :create_projects
+
+  rule { (owner | admin) & can?(:create_projects) }.enable :transfer_projects
 end
diff --git a/app/services/projects/transfer_service.rb b/app/services/projects/transfer_service.rb
index 233dcf37e35..b94d618dc43 100644
--- a/app/services/projects/transfer_service.rb
+++ b/app/services/projects/transfer_service.rb
@@ -95,7 +95,7 @@ module Projects
       @new_namespace &&
         can?(current_user, :change_namespace, project) &&
         @new_namespace.id != project.namespace_id &&
-        current_user.can?(:create_projects, @new_namespace)
+        current_user.can?(:transfer_projects, @new_namespace)
     end
 
     def update_namespace_and_visibility(to_namespace)