Add latest changes from gitlab-org/security/gitlab@16-2-stable-ee

5 files changed, 156 insertions, 13 deletions

diff --git a/spec/controllers/projects/error_tracking/projects_controller_spec.rb b/spec/controllers/projects/error_tracking/projects_controller_spec.rb
index 7529c701b2b..63346faccbf 100644
--- a/spec/controllers/projects/error_tracking/projects_controller_spec.rb
+++ b/spec/controllers/projects/error_tracking/projects_controller_spec.rb
@@ -19,7 +19,7 @@ RSpec.describe Projects::ErrorTracking::ProjectsController do
       let(:user) { create(:user) }
 
       it 'returns 404' do
-        project.add_guest(user)
+        project.add_developer(user)
 
         get :index, params: list_projects_params
 
diff --git a/spec/helpers/merge_requests_helper_spec.rb b/spec/helpers/merge_requests_helper_spec.rb
index b6c8653a563..3614cbe5011 100644
--- a/spec/helpers/merge_requests_helper_spec.rb
+++ b/spec/helpers/merge_requests_helper_spec.rb
@@ -234,4 +234,43 @@ RSpec.describe MergeRequestsHelper, feature_category: :code_review_workflow do
       it { expect(tab_count_display(merge_request, '10')).to eq('10') }
     end
   end
+
+  describe '#allow_collaboration_unavailable_reason' do
+    subject { allow_collaboration_unavailable_reason(merge_request) }
+
+    let(:merge_request) do
+      create(:merge_request, author: author, source_project: project, source_branch: generate(:branch))
+    end
+
+    let_it_be(:public_project) { create(:project, :small_repo, :public) }
+    let(:project) { public_project }
+    let(:forked_project) { fork_project(project) }
+    let(:author) { project.creator }
+
+    context 'when the merge request allows collaboration for the user' do
+      before do
+        allow(merge_request).to receive(:can_allow_collaboration?).with(current_user).and_return(true)
+      end
+
+      it { is_expected.to be_nil }
+    end
+
+    context 'when the project is private' do
+      let(:project) { create(:project, :empty_repo, :private) }
+
+      it { is_expected.to eq(_('Not available for private projects')) }
+    end
+
+    context 'when the source branch is protected' do
+      let!(:protected_branch) { create(:protected_branch, project: project, name: merge_request.source_branch) }
+
+      it { is_expected.to eq(_('Not available for protected branches')) }
+    end
+
+    context 'when the merge request author cannot push to the source project' do
+      let(:author) { create(:user) }
+
+      it { is_expected.to eq(_('Merge request author cannot push to target project')) }
+    end
+  end
 end
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 538f6b363e9..2219e35bc9b 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -6409,6 +6409,8 @@ RSpec.describe Project, factory_default: :keep, feature_category: :groups_and_pr
     let!(:merge_request) do
       create(
         :merge_request,
+        author: author,
+        state_id: state_id,
         target_project: target_project,
         target_branch: 'target-branch',
         source_project: project,
@@ -6417,6 +6419,9 @@ RSpec.describe Project, factory_default: :keep, feature_category: :groups_and_pr
       )
     end
 
+    let(:author) { project.creator }
+    let(:state_id) { MergeRequest.available_states[:opened] }
+
     before do
       target_project.add_developer(user)
     end
@@ -6426,10 +6431,12 @@ RSpec.describe Project, factory_default: :keep, feature_category: :groups_and_pr
         expect(project.merge_requests_allowing_push_to_user(user)).to include(merge_request)
       end
 
-      it 'does not include closed merge requests' do
-        merge_request.close
+      context 'when the merge requests are closed' do
+        let(:state_id) { MergeRequest.available_states[:closed] }
 
-        expect(project.merge_requests_allowing_push_to_user(user)).to be_empty
+        it 'does not include closed merge requests' do
+          expect(project.merge_requests_allowing_push_to_user(user)).to be_empty
+        end
       end
 
       it 'does not include merge requests for guest users' do
@@ -6451,16 +6458,38 @@ RSpec.describe Project, factory_default: :keep, feature_category: :groups_and_pr
     end
 
     describe '#any_branch_allows_collaboration?' do
-      it 'allows access when there are merge requests open allowing collaboration', :sidekiq_might_not_need_inline do
-        expect(project.any_branch_allows_collaboration?(user))
-          .to be_truthy
-      end
+      context 'when there is an open merge request allowing collaboration' do
+        it 'allows access', :sidekiq_might_not_need_inline do
+          expect(project.any_branch_allows_collaboration?(user))
+            .to be_truthy
+        end
+
+        context 'when the merge request author is not allowed to push_code' do
+          let(:author) { create(:user) }
 
-      it 'does not allow access when there are no merge requests open allowing collaboration' do
-        merge_request.close!
+          it 'returns false' do
+            expect(project.any_branch_allows_collaboration?(user))
+              .to be_falsey
+          end
+        end
 
-        expect(project.any_branch_allows_collaboration?(user))
-          .to be_falsey
+        context 'when the merge request is closed' do
+          let(:state_id) { MergeRequest.available_states[:closed] }
+
+          it 'returns false' do
+            expect(project.any_branch_allows_collaboration?(user))
+              .to be_falsey
+          end
+        end
+
+        context 'when the merge request is merged' do
+          let(:state_id) { MergeRequest.available_states[:merged] }
+
+          it 'returns false' do
+            expect(project.any_branch_allows_collaboration?(user))
+              .to be_falsey
+          end
+        end
       end
     end
 
@@ -6508,6 +6537,15 @@ RSpec.describe Project, factory_default: :keep, feature_category: :groups_and_pr
             .not_to exceed_query_limit(control).with_threshold(2)
         end
       end
+
+      context 'when the merge request author is not allowed to push_code' do
+        let(:author) { create(:user) }
+
+        it 'returns false' do
+          expect(project.branch_allows_collaboration?(user, 'awesome-feature-1'))
+            .to be_falsey
+        end
+      end
     end
   end
 
diff --git a/spec/requests/api/commits_spec.rb b/spec/requests/api/commits_spec.rb
index 28126f1bdc2..d4d809f1869 100644
--- a/spec/requests/api/commits_spec.rb
+++ b/spec/requests/api/commits_spec.rb
@@ -778,6 +778,62 @@ RSpec.describe API::Commits, feature_category: :source_code_management do
               end
             end
 
+            context 'when project repository access becomes restricted after being forked' do
+              let!(:fork_owner) { create(:user) }
+              let!(:forked_project) { fork_project(public_project, fork_owner, namespace: fork_owner.namespace, repository: true) }
+              let(:url) { "/projects/#{forked_project.id}/repository/commits" }
+
+              before do
+                # Restrict repository visibility of the public project
+                public_project.merge_requests_access_level = 'private'
+                public_project.builds_access_level = 'private'
+                public_project.repository_access_level = 'private'
+                public_project.save!
+
+                valid_c_params[:start_branch] = 'master'
+                valid_c_params[:branch] = 'patch'
+                valid_c_params[:start_project] = public_project.id
+              end
+
+              after do
+                # Reopen repository visibility of the public project
+                public_project.merge_requests_access_level = 'enabled'
+                public_project.repository_access_level = 'enabled'
+                public_project.builds_access_level = 'enabled'
+                public_project.save!
+              end
+
+              it 'returns a 403' do
+                post api(url, fork_owner), params: valid_c_params
+
+                expect(response).to have_gitlab_http_status(:forbidden)
+              end
+            end
+
+            context 'when fork owner has no more access to a private repository' do
+              let_it_be(:private_project) { create(:project, :private, :repository) }
+              let_it_be(:fork_owner) { create(:user) }
+              let_it_be(:fork_owner_membership) { private_project.add_developer(fork_owner) }
+              let_it_be(:forked_project) { fork_project(private_project, fork_owner, namespace: fork_owner.namespace, repository: true) }
+              let(:url) { "/projects/#{forked_project.id}/repository/commits" }
+
+              before do
+                # Restrict user from repository
+                Members::DestroyService.new(private_project.owner).execute(fork_owner_membership)
+                Sidekiq::Worker.drain_all
+
+                valid_c_params[:start_branch] = 'master'
+                valid_c_params[:branch] = 'patch'
+                valid_c_params[:start_project] = private_project.id
+              end
+
+              it 'returns a 402' do
+                post api(url, fork_owner), params: valid_c_params
+
+                expect(response).to have_gitlab_http_status(:not_found)
+              end
+            end
+
             context 'when the target project is not part of the fork network of start_project' do
               let(:unrelated_project) { create(:project, :public, :repository, creator: guest) }
               let(:url) { "/projects/#{unrelated_project.id}/repository/commits" }
diff --git a/spec/services/error_tracking/list_projects_service_spec.rb b/spec/services/error_tracking/list_projects_service_spec.rb
index d91808edc8d..53dbbfd8c71 100644
--- a/spec/services/error_tracking/list_projects_service_spec.rb
+++ b/spec/services/error_tracking/list_projects_service_spec.rb
@@ -19,7 +19,7 @@ RSpec.describe ErrorTracking::ListProjectsService, feature_category: :integratio
   subject { described_class.new(project, user, params) }
 
   before do
-    project.add_reporter(user)
+    project.add_maintainer(user)
   end
 
   describe '#execute' do
@@ -137,6 +137,16 @@ RSpec.describe ErrorTracking::ListProjectsService, feature_category: :integratio
       end
     end
 
+    context 'with user with insufficient permissions' do
+      before do
+        project.add_developer(user)
+      end
+
+      it 'returns error' do
+        expect(result).to include(status: :error, message: 'Access denied', http_status: :unauthorized)
+      end
+    end
+
     context 'with error tracking disabled' do
       before do
         expect(project).to receive(:error_tracking_setting).at_least(:once)