Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-09-28 01:26:40 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-09-28 01:26:58 +0300
commit: 5b91f2a1e51c291fb84ea60766791684fa982f22 (patch)
tree: 5eea88eb04d1ddd52210bfd08167e6a8d7206362 /spec/requests
parent: f0f3848e7a0b458c35a1adf3cb1cca29a205a60e (diff)
2 files changed, 72 insertions, 4 deletions
diff --git a/spec/requests/api/commits_spec.rb b/spec/requests/api/commits_spec.rb
index 8b9ac7cd588..90595c2d7f9 100644
--- a/spec/requests/api/commits_spec.rb
+++ b/spec/requests/api/commits_spec.rb
@@ -774,6 +774,62 @@ RSpec.describe API::Commits, feature_category: :source_code_management do
               end
             end
 
+            context 'when project repository access becomes restricted after being forked' do
+              let!(:fork_owner) { create(:user) }
+              let!(:forked_project) { fork_project(public_project, fork_owner, namespace: fork_owner.namespace, repository: true) }
+              let(:url) { "/projects/#{forked_project.id}/repository/commits" }
+
+              before do
+                # Restrict repository visibility of the public project
+                public_project.merge_requests_access_level = 'private'
+                public_project.builds_access_level = 'private'
+                public_project.repository_access_level = 'private'
+                public_project.save!
+
+                valid_c_params[:start_branch] = 'master'
+                valid_c_params[:branch] = 'patch'
+                valid_c_params[:start_project] = public_project.id
+              end
+
+              after do
+                # Reopen repository visibility of the public project
+                public_project.merge_requests_access_level = 'enabled'
+                public_project.repository_access_level = 'enabled'
+                public_project.builds_access_level = 'enabled'
+                public_project.save!
+              end
+
+              it 'returns a 403' do
+                post api(url, fork_owner), params: valid_c_params
+
+                expect(response).to have_gitlab_http_status(:forbidden)
+              end
+            end
+
+            context 'when fork owner has no more access to a private repository' do
+              let_it_be(:private_project) { create(:project, :private, :repository) }
+              let_it_be(:fork_owner) { create(:user) }
+              let_it_be(:fork_owner_membership) { private_project.add_developer(fork_owner) }
+              let_it_be(:forked_project) { fork_project(private_project, fork_owner, namespace: fork_owner.namespace, repository: true) }
+              let(:url) { "/projects/#{forked_project.id}/repository/commits" }
+
+              before do
+                # Restrict user from repository
+                Members::DestroyService.new(private_project.owner).execute(fork_owner_membership)
+                Sidekiq::Worker.drain_all
+
+                valid_c_params[:start_branch] = 'master'
+                valid_c_params[:branch] = 'patch'
+                valid_c_params[:start_project] = private_project.id
+              end
+
+              it 'returns a 402' do
+                post api(url, fork_owner), params: valid_c_params
+
+                expect(response).to have_gitlab_http_status(:not_found)
+              end
+            end
+
             context 'when the target project is not part of the fork network of start_project' do
               let(:unrelated_project) { create(:project, :public, :repository, creator: guest) }
               let(:url) { "/projects/#{unrelated_project.id}/repository/commits" }
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index e3e8df79a1d..12898060e22 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -3292,6 +3292,10 @@ RSpec.describe API::Projects, :aggregate_failures, feature_category: :groups_and
         let(:failed_status_code) { :not_found }
       end
 
+      it 'refreshes the forks count cache' do
+        expect(project_fork_source.forks_count).to be_zero
+      end
+
       context 'user is a developer' do
         before do
           project_fork_target.add_developer(user)
@@ -3304,15 +3308,23 @@ RSpec.describe API::Projects, :aggregate_failures, feature_category: :groups_and
         end
       end
 
-      it 'refreshes the forks count cache' do
-        expect(project_fork_source.forks_count).to be_zero
-      end
-
       context 'user is maintainer' do
         before do
           project_fork_target.add_maintainer(user)
         end
 
+        it 'denies project to be forked from an existing project' do
+          post api(path, user)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+
+      context 'user is owner' do
+        before do
+          project_fork_target.add_owner(user)
+        end
+
         context 'and user is a reporter of target group' do
           let_it_be_with_reload(:target_group) { create(:group, project_creation_level: ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS) }
           let_it_be_with_reload(:project_fork_target) { create(:project, namespace: target_group) }
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-09-28 01:26:40 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-09-28 01:26:58 +0300
commit	5b91f2a1e51c291fb84ea60766791684fa982f22 (patch)
tree	5eea88eb04d1ddd52210bfd08167e6a8d7206362 /spec/requests
parent	f0f3848e7a0b458c35a1adf3cb1cca29a205a60e (diff)