From 52dd3cdae10174cc35af6698b280acd1431cc4f8 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Mar 2023 23:52:27 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee

---
 spec/requests/api/repositories_spec.rb | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'spec/requests')

diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb
index 555ba2bc978..be26fe24061 100644
--- a/spec/requests/api/repositories_spec.rb
+++ b/spec/requests/api/repositories_spec.rb
@@ -573,6 +573,22 @@ RSpec.describe API::Repositories, feature_category: :source_code_management do
     context 'when authenticated', 'as a developer' do
       it_behaves_like 'repository compare' do
         let(:current_user) { user }
+
+        context 'when user does not have read access to the parent project' do
+          let_it_be(:group) { create(:group) }
+          let(:forked_project) { fork_project(project, current_user, repository: true, namespace: group) }
+
+          before do
+            forked_project.add_guest(current_user)
+          end
+
+          it 'returns 403 error' do
+            get api(route, current_user), params: { from: 'improve/awesome', to: 'feature', from_project_id: forked_project.id }
+
+            expect(response).to have_gitlab_http_status(:forbidden)
+            expect(json_response['message']).to eq("403 Forbidden - You don't have access to this fork's parent project")
+          end
+        end
       end
     end
 
-- 
cgit v1.2.3