Merge branch 'security-fix-leaking-namespace-name' into 'security'

Check that user has access to a given namespace to prevent leaking namespace names. See merge request !2009

Merge branch 'security-fix-leaking-namespace-name' into 'security'
Check that user has access to a given namespace to prevent leaking namespace names. See merge request !2009
c1ba2998 · Douwe Maan · Rémy Coutable · 734f58a7 · c1ba2998 · c1ba2998
Commit c1ba2998 authored Oct 20, 2016 by Douwe Maan Committed by Rémy Coutable Oct 20, 2016
Showing with 4 additions and 4 deletions

app/controllers/import/gitlab_projects_controller.rb app/controllers/import/gitlab_projects_controller.rb +2 -2

app/views/import/gitlab_projects/new.html.haml app/views/import/gitlab_projects/new.html.haml +2 -2

No files found.
--- a/app/controllers/import/gitlab_projects_controller.rb
+++ b/app/controllers/import/gitlab_projects_controller.rb
@@ -2,8 +2,8 @@ class Import::GitlabProjectsController < Import::BaseController
  before_action :verify_gitlab_project_import_enabled

  def new
-    @namespace_id = project_params[:namespace_id]
-    @namespace_name = Namespace.find(project_params[:namespace_id]).name
+    @namespace = Namespace.find(project_params[:namespace_id])
+    return render_404 unless current_user.can?(:create_projects, @namespace)
    @path = project_params[:path]
  end


--- a/app/views/import/gitlab_projects/new.html.haml
+++ b/app/views/import/gitlab_projects/new.html.haml
@@ -9,12 +9,12 @@
  %p
    Project will be imported as
    %strong
-      #{@namespace_name}/#{@path}
+      #{@namespace.name}/#{@path}

  %p
    To move or copy an entire GitLab project from another GitLab installation to this one, navigate to the original project's settings page, generate an export file, and upload it here.
  .form-group
-    = hidden_field_tag :namespace_id, @namespace_id
+    = hidden_field_tag :namespace_id, @namespace.id
    = hidden_field_tag :path, @path
    = label_tag :file, class: 'control-label' do
      %span GitLab project export