• Bob Van Landuyt's avatar
    Validate projects in MR build service · 08dbd93b
    Bob Van Landuyt authored
    This validates the correct abilities for both projects. Only
    `read_project` isn't enough:
    
    For the `source_project` we validate `create_merge_request_from` this
    also validates that the user has developer access to the project.
    
    For the `target_project` we validate `create_merge_reqeust_in` this
    also validates that the user has access to the project's repository.
    
    To avoid generating diffs for unrelated projects we also validate that
    the projects are in the same fork network now.
    08dbd93b
security-bvl-fix-cross-project-mr-exposure.yml 132 Bytes