An error occurred while fetching the assigned iteration of the selected issue.
Disabled repos on public projects can still be cloned
Users are still able to download code from public projects with repository
disabled or restricted only for team members.
Steps to reproduce
- Create a project with public visibility level
- Go to project settings and set repository permissions to disabled or **only team members **
- Try to clone this same project without being a project member.
Expected behavior
User should see a 403 error
Actual behavior
Repository is being cloned!!!
Relevant logs and/or screenshots
We should also improve the description of public visibility level since now
public projects can have restricted repositories
Possible fixes
check app/controllers/projects/git_http_controller.rb:78
def upload_pack_allowed?
return false unless Gitlab.config.gitlab_shell.upload_pack
if user
access_check.allowed?
else
ci? || project.public?
end
end
We should improve the permissions check here and look for other security issues about cloning and pushing code when project is public.