Commit 4a0e8f59 authored by Douwe Maan's avatar Douwe Maan Committed by Rémy Coutable

Merge branch 'security-fix-leaking-namespace-name' into 'security'

Check that user has access to a given namespace to prevent leaking namespace names.

See merge request !2009
parent 0e43e34b
...@@ -2,8 +2,8 @@ class Import::GitlabProjectsController < Import::BaseController ...@@ -2,8 +2,8 @@ class Import::GitlabProjectsController < Import::BaseController
before_action :verify_gitlab_project_import_enabled before_action :verify_gitlab_project_import_enabled
def new def new
@namespace_id = project_params[:namespace_id] @namespace = Namespace.find(project_params[:namespace_id])
@namespace_name = Namespace.find(project_params[:namespace_id]).name return render_404 unless current_user.can?(:create_projects, @namespace)
@path = project_params[:path] @path = project_params[:path]
end end
......
...@@ -9,12 +9,12 @@ ...@@ -9,12 +9,12 @@
%p %p
Project will be imported as Project will be imported as
%strong %strong
#{@namespace_name}/#{@path} #{@namespace.name}/#{@path}
%p %p
To move or copy an entire GitLab project from another GitLab installation to this one, navigate to the original project's settings page, generate an export file, and upload it here. To move or copy an entire GitLab project from another GitLab installation to this one, navigate to the original project's settings page, generate an export file, and upload it here.
.form-group .form-group
= hidden_field_tag :namespace_id, @namespace_id = hidden_field_tag :namespace_id, @namespace.id
= hidden_field_tag :path, @path = hidden_field_tag :path, @path
= label_tag :file, class: 'control-label' do = label_tag :file, class: 'control-label' do
%span GitLab project export %span GitLab project export
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment