From e9f6b3e0425707e9ce3b807a25d2da17fff2028d Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Tue, 26 May 2020 14:29:44 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@12-9-stable-ee --- app/controllers/concerns/membership_actions.rb | 12 +++++++++--- changelogs/unreleased/security-forked-from.yml | 5 +++++ lib/api/projects.rb | 2 ++ locale/gitlab.pot | 6 ++++++ spec/requests/api/projects_spec.rb | 11 +++++++++++ 5 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 changelogs/unreleased/security-forked-from.yml diff --git a/app/controllers/concerns/membership_actions.rb b/app/controllers/concerns/membership_actions.rb index 1cf9046e30f..4ab02005b45 100644 --- a/app/controllers/concerns/membership_actions.rb +++ b/app/controllers/concerns/membership_actions.rb @@ -53,10 +53,16 @@ module MembershipActions end def request_access - membershipable.request_access(current_user) + access_requester = membershipable.request_access(current_user) - redirect_to polymorphic_path(membershipable), - notice: _('Your request for access has been queued for review.') + if access_requester.persisted? + redirect_to polymorphic_path(membershipable), + notice: _('Your request for access has been queued for review.') + else + redirect_to polymorphic_path(membershipable), + alert: _("Your request for access could not be processed: %{error_meesage}") % + { error_meesage: access_requester.errors.full_messages.to_sentence } + end end def approve_access_request diff --git a/changelogs/unreleased/security-forked-from.yml b/changelogs/unreleased/security-forked-from.yml new file mode 100644 index 00000000000..77550193533 --- /dev/null +++ b/changelogs/unreleased/security-forked-from.yml @@ -0,0 +1,5 @@ +--- +title: Check forked project permissions before allowing fork +merge_request: +author: +type: security diff --git a/lib/api/projects.rb b/lib/api/projects.rb index 3717e25d997..a605160209e 100644 --- a/lib/api/projects.rb +++ b/lib/api/projects.rb @@ -441,6 +441,8 @@ module API not_found!("Source Project") unless fork_from_project + authorize! :fork_project, fork_from_project + result = ::Projects::ForkService.new(fork_from_project, current_user).execute(user_project) if result diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 39b77fc0aad..f0cb51989c9 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -23371,6 +23371,9 @@ msgstr "" msgid "Your projects" msgstr "" +msgid "Your request for access could not be processed: %{error_meesage}" +msgstr "" + msgid "Your request for access has been queued for review." msgstr "" @@ -23767,6 +23770,9 @@ msgstr "" msgid "email '%{email}' does not match the allowed domain of '%{email_domain}'" msgstr "" +msgid "email '%{email}' is not a verified email." +msgstr "" + msgid "enabled" msgstr "" diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index 83f678ad2cb..8d0b9f88274 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -1874,6 +1874,17 @@ describe API::Projects do expect(project_fork_target).to be_forked end + it 'fails without permission from forked_from project' do + project_fork_source.project_feature.update_attribute(:forking_access_level, ProjectFeature::PRIVATE) + + post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", user) + + expect(response).to have_gitlab_http_status(:forbidden) + expect(project_fork_target.forked_from_project).to be_nil + expect(project_fork_target.fork_network_member).not_to be_present + expect(project_fork_target).not_to be_forked + end + it 'denies project to be forked from a private project' do post api("/projects/#{project_fork_target.id}/fork/#{private_project_fork_source.id}", user) -- cgit v1.2.3