Merge branch 'security-fix-leaking-namespace-name' into 'security'

Check that user has access to a given namespace to prevent leaking namespace names. See merge request !2009
2016-10-20 14:54:55 +00:00 · 2016-10-20 14:54:55 +00:00 · 4a0e8f59e2
parent 0e43e34b45
commit 4a0e8f59e2
2 changed files with 4 additions and 4 deletions
--- a/app/controllers/import/gitlab_projects_controller.rb
+++ b/app/controllers/import/gitlab_projects_controller.rb
@ -2,8 +2,8 @@ class Import::GitlabProjectsController < Import::BaseController
  before_action :verify_gitlab_project_import_enabled

  def new
-    @namespace_id = project_params[:namespace_id]
-    @namespace_name = Namespace.find(project_params[:namespace_id]).name
+    @namespace = Namespace.find(project_params[:namespace_id])
+    return render_404 unless current_user.can?(:create_projects, @namespace)
    @path = project_params[:path]
  end

--- a/app/views/import/gitlab_projects/new.html.haml
+++ b/app/views/import/gitlab_projects/new.html.haml
@ -9,12 +9,12 @@
  %p
    Project will be imported as
    %strong
-      #{@namespace_name}/#{@path}
+      #{@namespace.name}/#{@path}

  %p
    To move or copy an entire GitLab project from another GitLab installation to this one, navigate to the original project's settings page, generate an export file, and upload it here.
  .form-group
-    = hidden_field_tag :namespace_id, @namespace_id
+    = hidden_field_tag :namespace_id, @namespace.id
    = hidden_field_tag :path, @path
    = label_tag :file, class: 'control-label' do
      %span GitLab project export