Forking public projects does not take repository feature availability into account
When forking a public project with the repository feature set to "Members Only", we leak the the repository when a user with access forks the project. In this case we create a Public project with the repository feature set to "Everyone with access".
Steps to reproduce:
- Create a public project with some code
- Mark the repository feature as "Members Only"
- As a user with access, fork the project to a different public namespace
- The code is now available to anonymous users in the fork.
Other things to consider:
Should we deal with this for existing forks when a project lowers the visibility level of the repository feature?
- Constrain the list of acceptable values for
ProjectFeature#repository_access_levelin a fork, in the same way we used to do for
- Copy the
project_featurerecord from source to fork when forking (via