Disabled repos on public projects can still be cloned
Users are still able to download code from public projects with repository
disabled or restricted only for team members.
Steps to reproduce
- Create a project with public visibility level
- Go to project settings and set repository permissions to disabled or **only team members **
- Try to clone this same project without being a project member.
User should see a 403 error
Repository is being cloned!!!
Relevant logs and/or screenshots
We should also improve the description of public visibility level since now
public projects can have restricted repositories
def upload_pack_allowed? return false unless Gitlab.config.gitlab_shell.upload_pack if user access_check.allowed? else ci? || project.public? end end
We should improve the permissions check here and look for other security issues about cloning and pushing code when project is public.