Private project's namespace and name leak in new MR view
As described in https://gitlab.com/gitlab-org/gitlab-ce/issues/15532#guessing-namespaces, on the new MR (compare) view, you can see a private project's namespace and name by simply putting merge_request%5Btarget_project_id%5D=3
in the URL.
For instance, in my local setup, the twitter/flight
project is private to my current user1
but I can see its namespace and name in the view:
As a fix, I suggest adding the following change in MergeRequests::BuildService#execute
:
def execute
merge_request = MergeRequest.new(params)
# Set MR attributes
merge_request.can_be_created = false
merge_request.compare_commits = []
merge_request.source_project = project unless merge_request.source_project
+ merge_request.target_project = nil unless can?(current_user, :read_project, merge_request.target_project)
merge_request.target_project ||= (project.forked_from_project || project)
merge_request.target_branch ||= merge_request.target_project.default_branch