From 5b91f2a1e51c291fb84ea60766791684fa982f22 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 27 Sep 2023 22:26:40 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee --- spec/requests/api/commits_spec.rb | 56 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) (limited to 'spec/requests/api/commits_spec.rb') diff --git a/spec/requests/api/commits_spec.rb b/spec/requests/api/commits_spec.rb index 8b9ac7cd588..90595c2d7f9 100644 --- a/spec/requests/api/commits_spec.rb +++ b/spec/requests/api/commits_spec.rb @@ -774,6 +774,62 @@ RSpec.describe API::Commits, feature_category: :source_code_management do end end + context 'when project repository access becomes restricted after being forked' do + let!(:fork_owner) { create(:user) } + let!(:forked_project) { fork_project(public_project, fork_owner, namespace: fork_owner.namespace, repository: true) } + let(:url) { "/projects/#{forked_project.id}/repository/commits" } + + before do + # Restrict repository visibility of the public project + public_project.merge_requests_access_level = 'private' + public_project.builds_access_level = 'private' + public_project.repository_access_level = 'private' + public_project.save! + + valid_c_params[:start_branch] = 'master' + valid_c_params[:branch] = 'patch' + valid_c_params[:start_project] = public_project.id + end + + after do + # Reopen repository visibility of the public project + public_project.merge_requests_access_level = 'enabled' + public_project.repository_access_level = 'enabled' + public_project.builds_access_level = 'enabled' + public_project.save! + end + + it 'returns a 403' do + post api(url, fork_owner), params: valid_c_params + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'when fork owner has no more access to a private repository' do + let_it_be(:private_project) { create(:project, :private, :repository) } + let_it_be(:fork_owner) { create(:user) } + let_it_be(:fork_owner_membership) { private_project.add_developer(fork_owner) } + let_it_be(:forked_project) { fork_project(private_project, fork_owner, namespace: fork_owner.namespace, repository: true) } + let(:url) { "/projects/#{forked_project.id}/repository/commits" } + + before do + # Restrict user from repository + Members::DestroyService.new(private_project.owner).execute(fork_owner_membership) + Sidekiq::Worker.drain_all + + valid_c_params[:start_branch] = 'master' + valid_c_params[:branch] = 'patch' + valid_c_params[:start_project] = private_project.id + end + + it 'returns a 402' do + post api(url, fork_owner), params: valid_c_params + + expect(response).to have_gitlab_http_status(:not_found) + end + end + context 'when the target project is not part of the fork network of start_project' do let(:unrelated_project) { create(:project, :public, :repository, creator: guest) } let(:url) { "/projects/#{unrelated_project.id}/repository/commits" } -- cgit v1.2.3