diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-30 02:52:27 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-30 02:52:27 +0300 |
commit | 52dd3cdae10174cc35af6698b280acd1431cc4f8 (patch) | |
tree | 5dd5616b71029c5c4315961d8663b3a3c80714a5 /lib/api | |
parent | 38dadcee569adfbbb1c9dc99634bba4e9a9128bc (diff) |
Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee
Diffstat (limited to 'lib/api')
-rw-r--r-- | lib/api/repositories.rb | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/api/repositories.rb b/lib/api/repositories.rb index 70535496b12..6f8d34ea387 100644 --- a/lib/api/repositories.rb +++ b/lib/api/repositories.rb @@ -203,6 +203,10 @@ module API render_api_error!("Target project id:#{params[:from_project_id]} is not a fork of project id:#{params[:id]}", 400) end + unless can?(current_user, :read_code, target_project) + forbidden!("You don't have access to this fork's parent project") + end + cache_key = compare_cache_key(current_user, user_project, target_project, declared_params) cache_action(cache_key, expires_in: 1.minute) do |