Skip to content

GitLab Next

You need to sign in or sign up before continuing.
Open
Created by Bob Van Landuyt@reprazentMaintainer

Forking public projects does not take repository feature availability into account

When forking a public project with the repository feature set to "Members Only", we leak the the repository when a user with access forks the project. In this case we create a Public project with the repository feature set to "Everyone with access".

Steps to reproduce:

  1. Create a public project with some code
  2. Mark the repository feature as "Members Only"
  3. As a user with access, fork the project to a different public namespace
  4. The code is now available to anonymous users in the fork.

Other things to consider:

Should we deal with this for existing forks when a project lowers the visibility level of the repository feature?

Proposal

  1. Constrain the list of acceptable values for ProjectFeature#repository_access_level in a fork, in the same way we used to do for Project#visibility_level: https://gitlab.com/gitlab-org/gitlab/-/issues/198519#note_319181207
  2. Copy the project_feature record from source to fork when forking (via Projects::ForkService)
Edited by Patrick Bajao