Skip to content
GitLab
Next
    • Why GitLab
    • Pricing
    • Contact Sales
    • Explore
  • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
  • Sign in
  • Get free trial
  • GitLab.orgGitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #18028

User with guest role can fork project and therefore gain access to the code

Currently we do not check permissions in ForkService.

It is possible to fork project (for example using API) if only user has a read_project ability (guests do). User can easily bypass restrictions on downloading code (accessing code is available to reporter role and greater).

This can be considered as a security issue. /cc @DouweM

Assignee
Assign to
Time tracking