Check permissions before showing a forked project's source

author: Nick Thomas <nick@gitlab.com> 2019-11-19 19:17:35 +0300
committer: Nick Thomas <nick@gitlab.com> 2019-11-25 14:50:16 +0300
commit: b49d06e415a247b80cc3edd11f137c025163a31a (patch)
tree: baeb898a2d56e8be3c0544cfd172ae445fadcc31 /lib
parent: 4d477238500c347c6553d335d920bedfc5a46869 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 91811efacd7..dde0f291bb3 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -283,7 +283,9 @@ module API
       expose :shared_runners_enabled
       expose :lfs_enabled?, as: :lfs_enabled
       expose :creator_id
-      expose :forked_from_project, using: Entities::BasicProjectDetails, if: lambda { |project, options| project.forked? }
+      expose :forked_from_project, using: Entities::BasicProjectDetails, if: ->(project, options) do
+        project.forked? && Ability.allowed?(options[:current_user], :read_project, project.forked_from_project)
+      end
       expose :import_status
 
       expose :import_error, if: lambda { |_project, options| options[:user_can_admin_project] } do |project|
author	Nick Thomas <nick@gitlab.com>	2019-11-19 19:17:35 +0300
committer	Nick Thomas <nick@gitlab.com>	2019-11-25 14:50:16 +0300
commit	b49d06e415a247b80cc3edd11f137c025163a31a (patch)
tree	baeb898a2d56e8be3c0544cfd172ae445fadcc31 /lib
parent	4d477238500c347c6553d335d920bedfc5a46869 (diff)