Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee

e80b54a5 · GitLab Bot · 65e85dd1 · e80b54a5 · e80b54a5 · e80b54a5
5 changed file
--- a/app/controllers/concerns/membership_actions.rb
+++ b/app/controllers/concerns/membership_actions.rb
@@ -53,10 +53,16 @@ module MembershipActions
  end

  def request_access
-    membershipable.request_access(current_user)
+    access_requester = membershipable.request_access(current_user)

-    redirect_to polymorphic_path(membershipable),
-                notice: _('Your request for access has been queued for review.')
+    if access_requester.persisted?
+      redirect_to polymorphic_path(membershipable),
+                  notice: _('Your request for access has been queued for review.')
+    else
+      redirect_to polymorphic_path(membershipable),
+                  alert: _("Your request for access could not be processed: %{error_meesage}") %
+                    { error_meesage: access_requester.errors.full_messages.to_sentence }
+    end
  end

  def approve_access_request

--- a/changelogs/unreleased/security-forked-from.yml
+++ b/changelogs/unreleased/security-forked-from.yml
+---
+title: Check forked project permissions before allowing fork
+merge_request:
+author:
+type: security
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -444,6 +444,8 @@ module API

        not_found!("Source Project") unless fork_from_project

+        authorize! :fork_project, fork_from_project
+
        result = ::Projects::ForkService.new(fork_from_project, current_user).execute(user_project)

        if result

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -24201,6 +24201,9 @@ msgstr ""
 msgid "Your projects"
 msgstr ""

+msgid "Your request for access could not be processed: %{error_meesage}"
+msgstr ""
+
 msgid "Your request for access has been queued for review."
 msgstr ""

@@ -24618,6 +24621,9 @@ msgstr ""
 msgid "email '%{email}' does not match the allowed domain of '%{email_domain}'"
 msgstr ""

+msgid "email '%{email}' is not a verified email."
+msgstr ""
+
 msgid "enabled"
 msgstr ""


--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -1891,6 +1891,17 @@ describe API::Projects do
          expect(project_fork_target).to be_forked
        end

+        it 'fails without permission from forked_from project' do
+          project_fork_source.project_feature.update_attribute(:forking_access_level, ProjectFeature::PRIVATE)
+
+          post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", user)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+          expect(project_fork_target.forked_from_project).to be_nil
+          expect(project_fork_target.fork_network_member).not_to be_present
+          expect(project_fork_target).not_to be_forked
+        end
+
        it 'denies project to be forked from a private project' do
          post api("/projects/#{project_fork_target.id}/fork/#{private_project_fork_source.id}", user)