Hide features a user shouldn't be able to see in a list of forks

Changelog: security

app/helpers/projects_helper.rb

@@ -420,6 +420,18 @@ module ProjectsHelper
     project.path_with_namespace
   end
 
+  def able_to_see_issues?(project, user)
+    project.issues_enabled? && can?(user, :read_issue, project)
+  end
+
+  def able_to_see_merge_requests?(project, user)
+    project.merge_requests_enabled? && can?(user, :read_merge_request, project)
+  end
+
+  def able_to_see_last_commit?(show_last_commit_as_description, project, user)
+    show_last_commit_as_description && can?(user, :read_commit_status, project)
+  end
+
   def fork_button_disabled_tooltip(project)
     return unless current_user
 

app/views/shared/projects/_list.html.haml

@@ -37,8 +37,8 @@
         - css_class = (i >= projects_limit) || project.pending_delete? ? 'hide' : nil
         = render "shared/projects/project", project: project, skip_namespace: skip_namespace,
           avatar: avatar, stars: stars, css_class: css_class, use_creator_avatar: use_creator_avatar,
-          forks: project.forking_enabled?, show_last_commit_as_description: show_last_commit_as_description, user: user,
-          merge_requests: project.merge_requests_enabled?, issues: project.issues_enabled?,
+          forks: project.forking_enabled?, show_last_commit_as_description: able_to_see_last_commit?(show_last_commit_as_description, project, user),
+          user: user, merge_requests: able_to_see_merge_requests?(project, user), issues: able_to_see_issues?(project, user),
           pipeline_status: pipeline_status, compact_mode: compact_mode
     = paginate_collection(projects, remote: remote) unless skip_pagination
   - else

spec/features/projects/forks/fork_list_spec.rb

@@ -24,6 +24,28 @@ RSpec.describe 'listing forks of a project' do
     end
   end
 
+  context "when a fork is set to allow only project members to access features" do
+    let(:outside_user) { create(:user) }
+
+    before do
+      sign_in(outside_user)
+
+      allow_any_instance_of(ProjectsHelper).to receive(:able_to_see_last_commit?).and_return(false)
+      allow_any_instance_of(ProjectsHelper).to receive(:able_to_see_merge_requests?).and_return(false)
+      allow_any_instance_of(ProjectsHelper).to receive(:able_to_see_issues?).and_return(false)
+    end
+
+    it 'will not show that information in the original forks list' do
+      visit project_forks_path(source)
+
+      page.within('li.project-row') do
+        expect(page).not_to have_css('a.commit-row-message')
+        expect(page).not_to have_css('a.issues')
+        expect(page).not_to have_css('a.merge-requests')
+      end
+    end
+  end
+
   it 'does not show the commit message when an external authorization service is used' do
     enable_external_authorization_service_check
 

spec/helpers/projects_helper_spec.rb

@@ -1000,6 +1000,75 @@ RSpec.describe ProjectsHelper do
     end
   end
 
+  context 'fork security helpers' do
+    using RSpec::Parameterized::TableSyntax
+
+    describe "#able_to_see_merge_requests?" do
+      subject { helper.able_to_see_merge_requests?(project, user) }
+
+      where(:can_read_merge_request, :merge_requests_enabled, :expected) do
+        false | false | false
+        true | false | false
+        false | true | false
+        true | true | true
+      end
+
+      with_them do
+        before do
+          allow(project).to receive(:merge_requests_enabled?).and_return(merge_requests_enabled)
+          allow(helper).to receive(:can?).with(user, :read_merge_request, project).and_return(can_read_merge_request)
+        end
+
+        it 'returns the correct response' do
+          expect(subject).to eq(expected)
+        end
+      end
+    end
+
+    describe "#able_to_see_issues?" do
+      subject { helper.able_to_see_issues?(project, user) }
+
+      where(:can_read_issues, :issues_enabled, :expected) do
+        false | false | false
+        true | false | false
+        false | true | false
+        true | true | true
+      end
+
+      with_them do
+        before do
+          allow(project).to receive(:issues_enabled?).and_return(issues_enabled)
+          allow(helper).to receive(:can?).with(user, :read_issue, project).and_return(can_read_issues)
+        end
+
+        it 'returns the correct response' do
+          expect(subject).to eq(expected)
+        end
+      end
+    end
+
+    describe "#able_to_see_last_commit?" do
+      subject { helper.able_to_see_last_commit?(show_last_commit_as_description, project, user) }
+
+      where(:can_read_last_commit, :show_last_commit_as_description, :expected) do
+        false | false | false
+        true | false | false
+        false | true | false
+        true | true | true
+      end
+
+      with_them do
+        before do
+          allow(helper).to receive(:can?).with(user, :read_commit_status, project).and_return(can_read_last_commit)
+        end
+
+        it 'returns the correct response' do
+          expect(subject).to eq(expected)
+        end
+      end
+    end
+  end
+
   describe '#fork_button_disabled_tooltip' do
     using RSpec::Parameterized::TableSyntax