From 1fb0bae24e6686b3571fc1c44cbf239d8563e0d7 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 30 Aug 2023 19:42:57 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@16-3-stable-ee

---
 spec/requests/api/projects_spec.rb | 41 ++++++++++++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 8 deletions(-)

(limited to 'spec/requests')

diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index 26132215404..601e8cb3081 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -3311,16 +3311,41 @@ RSpec.describe API::Projects, :aggregate_failures, feature_category: :groups_and
           project_fork_target.add_maintainer(user)
         end
 
-        it 'allows project to be forked from an existing project' do
-          expect(project_fork_target).not_to be_forked
+        context 'and user is a reporter of target group' do
+          let_it_be_with_reload(:target_group) { create(:group, project_creation_level: ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS) }
+          let_it_be_with_reload(:project_fork_target) { create(:project, namespace: target_group) }
 
-          post api(path, user)
-          project_fork_target.reload
+          before do
+            target_group.add_reporter(user)
+          end
 
-          expect(response).to have_gitlab_http_status(:created)
-          expect(project_fork_target.forked_from_project.id).to eq(project_fork_source.id)
-          expect(project_fork_target.fork_network_member).to be_present
-          expect(project_fork_target).to be_forked
+          it 'fails as target namespace is unauthorized' do
+            post api(path, user)
+
+            expect(response).to have_gitlab_http_status(:unauthorized)
+            expect(json_response['message']).to eq "401 Unauthorized - Target Namespace"
+          end
+        end
+
+        context 'and user is a developer of target group' do
+          let_it_be_with_reload(:target_group) { create(:group, project_creation_level: ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS) }
+          let_it_be_with_reload(:project_fork_target) { create(:project, namespace: target_group) }
+
+          before do
+            target_group.add_developer(user)
+          end
+
+          it 'allows project to be forked from an existing project' do
+            expect(project_fork_target).not_to be_forked
+
+            post api(path, user)
+            project_fork_target.reload
+
+            expect(response).to have_gitlab_http_status(:created)
+            expect(project_fork_target.forked_from_project.id).to eq(project_fork_source.id)
+            expect(project_fork_target.fork_network_member).to be_present
+            expect(project_fork_target).to be_forked
+          end
         end
 
         it 'fails without permission from forked_from project' do
-- 
cgit v1.2.3