Commit b248ee93 authored by Grzegorz Bizon's avatar Grzegorz Bizon

Check permissions when importing project members

Closes #14899
parent 8a0a802e
...@@ -20,6 +20,9 @@ v 8.7.0 (unreleased) ...@@ -20,6 +20,9 @@ v 8.7.0 (unreleased)
- Fall back to `In-Reply-To` and `References` headers when sub-addressing is not available (David Padilla) - Fall back to `In-Reply-To` and `References` headers when sub-addressing is not available (David Padilla)
- Remove "Congratulations!" tweet button on newly-created project. (Connor Shea) - Remove "Congratulations!" tweet button on newly-created project. (Connor Shea)
v 8.6.5 (unreleased)
- Check permissions when user attempts to import members from another project
v 8.6.4 v 8.6.4
- Don't attempt to fetch any tags from a forked repo (Stan Hu) - Don't attempt to fetch any tags from a forked repo (Stan Hu)
......
...@@ -95,8 +95,13 @@ class Projects::ProjectMembersController < Projects::ApplicationController ...@@ -95,8 +95,13 @@ class Projects::ProjectMembersController < Projects::ApplicationController
def apply_import def apply_import
giver = Project.find(params[:source_project_id]) giver = Project.find(params[:source_project_id])
if current_user.can?(:read_project_member, giver)
status = @project.team.import(giver, current_user) status = @project.team.import(giver, current_user)
notice = status ? "Successfully imported" : "Import failed" notice = status ? "Successfully imported" : "Import failed"
else
notice = 'You are not authorized to import members from this project'
end
redirect_to(namespace_project_project_members_path(project.namespace, project), redirect_to(namespace_project_project_members_path(project.namespace, project),
notice: notice) notice: notice)
......
require('spec_helper')
describe Projects::ProjectMembersController do
let(:project) { create(:project) }
let(:another_project) { create(:project, :private) }
let(:user) { create(:user) }
let(:member) { create(:user) }
before do
project.team << [user, :master]
another_project.team << [member, :guest]
sign_in(user)
end
describe '#apply_import' do
shared_context 'import applied' do
before do
post(:apply_import, namespace_id: project.namespace.to_param,
project_id: project.to_param,
source_project_id: another_project.id)
end
end
context 'when user can access source project members' do
before { another_project.team << [user, :guest] }
include_context 'import applied'
it 'imports source project members' do
expect(project.team_members).to include member
expect(response).to set_flash.to 'Successfully imported'
expect(response).to redirect_to(
namespace_project_project_members_path(project.namespace, project)
)
end
end
context 'when user is not member of a source project' do
include_context 'import applied'
it 'does not import team members' do
expect(project.team_members).to_not include member
end
it 'notifies about invalid permissions' do
expect(response).to set_flash.to /not authorized/
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment