Skip to content
Snippets Groups Projects
Commit 3b34c4e1 authored by Pavel Shutsin's avatar Pavel Shutsin :two:
Browse files

Fix permissions check on project members import

When using project members import user must have
Maintainer+ acces on both projects as
documentation states.

Changelog: security
parent 40988573
No related branches found
No related tags found
No related merge requests found
......@@ -34,13 +34,13 @@ def index
end
def import
@projects = current_user.authorized_projects.order_id_desc
@projects = Project.visible_to_user_and_access_level(current_user, Gitlab::Access::MAINTAINER).order_id_desc
end
def apply_import
source_project = Project.find(params[:source_project_id])
if can?(current_user, :read_project_member, source_project)
if can?(current_user, :admin_project_member, source_project)
status = @project.team.import(source_project, current_user)
notice = status ? "Successfully imported" : "Import failed"
else
......
......@@ -624,9 +624,9 @@
end
end
context 'when user can access source project members' do
context 'when user can admin source project members' do
before do
another_project.add_guest(user)
another_project.add_maintainer(user)
end
include_context 'import applied'
......@@ -640,7 +640,11 @@
end
end
context 'when user is not member of a source project' do
context "when user can't admin source project members" do
before do
another_project.add_developer(user)
end
include_context 'import applied'
it 'does not import team members' do
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment