Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
e80b54a5
Commit
e80b54a5
authored
May 26, 2020
by
GitLab Bot
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee
parent
65e85dd1
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
33 additions
and
3 deletions
+33
-3
app/controllers/concerns/membership_actions.rb
app/controllers/concerns/membership_actions.rb
+9
-3
changelogs/unreleased/security-forked-from.yml
changelogs/unreleased/security-forked-from.yml
+5
-0
lib/api/projects.rb
lib/api/projects.rb
+2
-0
locale/gitlab.pot
locale/gitlab.pot
+6
-0
spec/requests/api/projects_spec.rb
spec/requests/api/projects_spec.rb
+11
-0
No files found.
app/controllers/concerns/membership_actions.rb
View file @
e80b54a5
...
...
@@ -53,10 +53,16 @@ module MembershipActions
end
def
request_access
membershipable
.
request_access
(
current_user
)
access_requester
=
membershipable
.
request_access
(
current_user
)
redirect_to
polymorphic_path
(
membershipable
),
notice:
_
(
'Your request for access has been queued for review.'
)
if
access_requester
.
persisted?
redirect_to
polymorphic_path
(
membershipable
),
notice:
_
(
'Your request for access has been queued for review.'
)
else
redirect_to
polymorphic_path
(
membershipable
),
alert:
_
(
"Your request for access could not be processed: %{error_meesage}"
)
%
{
error_meesage:
access_requester
.
errors
.
full_messages
.
to_sentence
}
end
end
def
approve_access_request
...
...
changelogs/unreleased/security-forked-from.yml
0 → 100644
View file @
e80b54a5
---
title
:
Check forked project permissions before allowing fork
merge_request
:
author
:
type
:
security
lib/api/projects.rb
View file @
e80b54a5
...
...
@@ -444,6 +444,8 @@ module API
not_found!
(
"Source Project"
)
unless
fork_from_project
authorize!
:fork_project
,
fork_from_project
result
=
::
Projects
::
ForkService
.
new
(
fork_from_project
,
current_user
).
execute
(
user_project
)
if
result
...
...
locale/gitlab.pot
View file @
e80b54a5
...
...
@@ -24201,6 +24201,9 @@ msgstr ""
msgid "Your projects"
msgstr ""
msgid "Your request for access could not be processed: %{error_meesage}"
msgstr ""
msgid "Your request for access has been queued for review."
msgstr ""
...
...
@@ -24618,6 +24621,9 @@ msgstr ""
msgid "email '%{email}' does not match the allowed domain of '%{email_domain}'"
msgstr ""
msgid "email '%{email}' is not a verified email."
msgstr ""
msgid "enabled"
msgstr ""
...
...
spec/requests/api/projects_spec.rb
View file @
e80b54a5
...
...
@@ -1891,6 +1891,17 @@ describe API::Projects do
expect
(
project_fork_target
).
to
be_forked
end
it
'fails without permission from forked_from project'
do
project_fork_source
.
project_feature
.
update_attribute
(
:forking_access_level
,
ProjectFeature
::
PRIVATE
)
post
api
(
"/projects/
#{
project_fork_target
.
id
}
/fork/
#{
project_fork_source
.
id
}
"
,
user
)
expect
(
response
).
to
have_gitlab_http_status
(
:forbidden
)
expect
(
project_fork_target
.
forked_from_project
).
to
be_nil
expect
(
project_fork_target
.
fork_network_member
).
not_to
be_present
expect
(
project_fork_target
).
not_to
be_forked
end
it
'denies project to be forked from a private project'
do
post
api
(
"/projects/
#{
project_fork_target
.
id
}
/fork/
#{
private_project_fork_source
.
id
}
"
,
user
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment