5 files changed, 47 insertions, 22 deletions

diff --git a/app/controllers/import/base_controller.rb b/app/controllers/import/base_controller.rb
index 7ad3a2ee358..51ca12370e6 100644
--- a/app/controllers/import/base_controller.rb
+++ b/app/controllers/import/base_controller.rb
@@ -13,7 +13,13 @@ class Import::BaseController < ApplicationController
                        provider_repos: serialized_provider_repos,
                        incompatible_repos: serialized_incompatible_repos }
       end
-      format.html
+      format.html do
+        if params[:namespace_id]&.present?
+          @namespace = Namespace.find_by_id(params[:namespace_id])
+
+          render_404 unless current_user.can?(:create_projects, @namespace)
+        end
+      end
     end
   end
 
@@ -70,7 +76,7 @@ class Import::BaseController < ApplicationController
   end
 
   def already_added_projects
-    @already_added_projects ||= filtered(find_already_added_projects(provider_name))
+    @already_added_projects ||= find_already_added_projects(provider_name)
   end
 
   # rubocop: disable CodeReuse/ActiveRecord
diff --git a/app/controllers/import/bitbucket_controller.rb b/app/controllers/import/bitbucket_controller.rb
index cfd86429df0..7c9525d1744 100644
--- a/app/controllers/import/bitbucket_controller.rb
+++ b/app/controllers/import/bitbucket_controller.rb
@@ -12,14 +12,21 @@ class Import::BitbucketController < Import::BaseController
   rescue_from Bitbucket::Error::Unauthorized, with: :bitbucket_unauthorized
 
   def callback
-    response = oauth_client.auth_code.get_token(params[:code], redirect_uri: users_import_bitbucket_callback_url)
+    auth_state = session[:bitbucket_auth_state]
+    session[:bitbucket_auth_state] = nil
 
-    session[:bitbucket_token]         = response.token
-    session[:bitbucket_expires_at]    = response.expires_at
-    session[:bitbucket_expires_in]    = response.expires_in
-    session[:bitbucket_refresh_token] = response.refresh_token
+    if auth_state.blank? || !ActiveSupport::SecurityUtils.secure_compare(auth_state, params[:state])
+      go_to_bitbucket_for_permissions
+    else
+      response = oauth_client.auth_code.get_token(params[:code], redirect_uri: users_import_bitbucket_callback_url)
+
+      session[:bitbucket_token]         = response.token
+      session[:bitbucket_expires_at]    = response.expires_at
+      session[:bitbucket_expires_in]    = response.expires_in
+      session[:bitbucket_refresh_token] = response.refresh_token
 
-    redirect_to status_import_bitbucket_url
+      redirect_to status_import_bitbucket_url
+    end
   end
 
   def status
@@ -113,7 +120,9 @@ class Import::BitbucketController < Import::BaseController
   end
 
   def go_to_bitbucket_for_permissions
-    redirect_to oauth_client.auth_code.authorize_url(redirect_uri: users_import_bitbucket_callback_url)
+    state = SecureRandom.base64(64)
+    session[:bitbucket_auth_state] = state
+    redirect_to oauth_client.auth_code.authorize_url(redirect_uri: users_import_bitbucket_callback_url, state: state)
   end
 
   def bitbucket_unauthorized(exception)
diff --git a/app/controllers/import/github_controller.rb b/app/controllers/import/github_controller.rb
index 55f4563285d..9bd8f893614 100644
--- a/app/controllers/import/github_controller.rb
+++ b/app/controllers/import/github_controller.rb
@@ -23,24 +23,25 @@ class Import::GithubController < Import::BaseController
     if !ci_cd_only? && github_import_configured? && logged_in_with_provider?
       go_to_provider_for_permissions
     elsif session[access_token_key]
-      redirect_to status_import_url
+      redirect_to status_import_url(namespace_id: params[:namespace_id])
     end
   end
 
   def callback
-    auth_state = session[auth_state_key]
-    session[auth_state_key] = nil
+    auth_state = session.delete(auth_state_key)
+    namespace_id = session.delete(:namespace_id)
+
     if auth_state.blank? || !ActiveSupport::SecurityUtils.secure_compare(auth_state, params[:state])
       provider_unauthorized
     else
       session[access_token_key] = get_token(params[:code])
-      redirect_to status_import_url
+      redirect_to status_import_url(namespace_id: namespace_id)
     end
   end
 
   def personal_access_token
     session[access_token_key] = params[:personal_access_token]&.strip
-    redirect_to status_import_url
+    redirect_to status_import_url(namespace_id: params[:namespace_id].presence)
   end
 
   def status
@@ -62,7 +63,15 @@ class Import::GithubController < Import::BaseController
   end
 
   def realtime_changes
-    super
+    Gitlab::PollingInterval.set_header(response, interval: 3_000)
+
+    render json: already_added_projects.map { |project|
+      {
+        id: project.id,
+        import_status: project.import_status,
+        stats: ::Gitlab::GithubImport::ObjectCounter.summary(project)
+      }
+    }
   end
 
   protected
@@ -201,8 +210,8 @@ class Import::GithubController < Import::BaseController
     public_send("new_import_#{provider_name}_url", extra_import_params) # rubocop:disable GitlabSecurity/PublicSend
   end
 
-  def status_import_url
-    public_send("status_import_#{provider_name}_url", extra_import_params) # rubocop:disable GitlabSecurity/PublicSend
+  def status_import_url(namespace_id: nil)
+    public_send("status_import_#{provider_name}_url", extra_import_params.merge({ namespace_id: namespace_id })) # rubocop:disable GitlabSecurity/PublicSend
   end
 
   def callback_import_url
@@ -248,6 +257,7 @@ class Import::GithubController < Import::BaseController
 
   def provider_auth
     if !ci_cd_only? && session[access_token_key].blank?
+      session[:namespace_id] = params[:namespace_id]
       go_to_provider_for_permissions
     end
   end
diff --git a/app/controllers/import/gitlab_groups_controller.rb b/app/controllers/import/gitlab_groups_controller.rb
index aca71f6d57a..c9d5e9986dc 100644
--- a/app/controllers/import/gitlab_groups_controller.rb
+++ b/app/controllers/import/gitlab_groups_controller.rb
@@ -3,7 +3,6 @@
 class Import::GitlabGroupsController < ApplicationController
   include WorkhorseAuthorization
 
-  before_action :ensure_group_import_enabled
   before_action :check_import_rate_limit!, only: %i[create]
 
   feature_category :importers
@@ -51,10 +50,6 @@ class Import::GitlabGroupsController < ApplicationController
     end
   end
 
-  def ensure_group_import_enabled
-    render_404 unless Feature.enabled?(:group_import_export, @group, default_enabled: true)
-  end
-
   def check_import_rate_limit!
     check_rate_limit!(:group_import, scope: current_user) do
       redirect_to new_group_path, alert: _('This endpoint has been requested too many times. Try again later.')
diff --git a/app/controllers/import/history_controller.rb b/app/controllers/import/history_controller.rb
new file mode 100644
index 00000000000..69e31392f21
--- /dev/null
+++ b/app/controllers/import/history_controller.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class Import::HistoryController < ApplicationController
+  feature_category :importers
+end