Forking public projects does not take repository feature availability into account
When forking a public project with the repository feature set to "Members Only", we leak the the repository when a user with access forks the project. In this case we create a Public project with the repository feature set to "Everyone with access".
Steps to reproduce:
- Create a public project with some code
- Mark the repository feature as "Members Only"
- As a user with access, fork the project to a different public namespace
- The code is now available to anonymous users in the fork.
Other things to consider:
Should we deal with this for existing forks when a project lowers the visibility level of the repository feature?
Proposal
- Constrain the list of acceptable values for
ProjectFeature#repository_access_level
in a fork, in the same way we used to do forProject#visibility_level
: https://gitlab.com/gitlab-org/gitlab/-/issues/198519#note_319181207 - Copy the
project_feature
record from source to fork when forking (viaProjects::ForkService
)
Edited by Patrick Bajao