Imported Gitlab project can have a higher visibility than containing group
Summary
An imported Gitlab project will retain it's original visibility even if the containing group has a lower visibility. I discovered in the middle of migrating from a self-hosted instance to Gitlab.com when I exposed a sensitive internal project to everyone logged in Gitlab.com. Our projects on the self-hosted instance are all internal which makes sense for something internal to the company, but very bad for Gitlab.com
Steps to reproduce
- Export a project with internal or public visibility
- Import that project into a private group
Example Project
- Original project, public visibility: https://gitlab.com/skycoop/visibility-test
- Private group with no members aside from me: https://gitlab.com/visibility-testing-68ff8d54
- Imported version, still public visibility: https://gitlab.com/visibility-testing-68ff8d54/visibility-test-import
What is the current bug behavior?
Imported project ignores group visibility and remains public, and forces the group to behave like a public one
What is the expected correct behavior?
Imported project is limited by the group's visibility and becomes private.
Output of checks
This bug happens on Gitlab.com
Possible fixes
Generally the fix should have the importer check the group's visibility and only use the exported visibility if it is the same as or more restricted than the group's. I'll poke around when I have some spare time to see if I can find the best place for this check to happen.