Private project's namespace and name leak in new MR view
As described in https://gitlab.com/gitlab-org/gitlab-ce/issues/15532#guessing-namespaces, on the new MR (compare) view, you can see a private project's namespace and name by simply putting
merge_request%5Btarget_project_id%5D=3 in the URL.
For instance, in my local setup, the
twitter/flight project is private to my current
user1 but I can see its namespace and name in the view:
As a fix, I suggest adding the following change in
def execute merge_request = MergeRequest.new(params) # Set MR attributes merge_request.can_be_created = false merge_request.compare_commits =  merge_request.source_project = project unless merge_request.source_project + merge_request.target_project = nil unless can?(current_user, :read_project, merge_request.target_project) merge_request.target_project ||= (project.forked_from_project || project) merge_request.target_branch ||= merge_request.target_project.default_branch