Merge branch 'xanf-fix-404-on-import' into 'master'

Resolve "Importing project by user with developer rights results in 404" See merge request gitlab-org/gitlab!35667

Merge branch 'xanf-fix-404-on-import' into 'master'
Resolve "Importing project by user with developer rights results in 404" See merge request gitlab-org/gitlab!35667
570a583c · Peter Leitzen · a5267967 · b2ce4407 · 570a583c · 570a583c
Commit 570a583c authored Jul 01, 2020 by Peter Leitzen
3 changed files
--- a/app/controllers/projects/imports_controller.rb
+++ b/app/controllers/projects/imports_controller.rb
@@ -5,7 +5,8 @@ class Projects::ImportsController < Projects::ApplicationController
  include ImportUrlParams

  # Authorize
-  before_action :authorize_admin_project!
+  before_action :authorize_admin_project!, only: [:new, :create]
+  before_action :require_namespace_project_creation_permission, only: :show
  before_action :require_no_repo, only: [:new, :create]
  before_action :redirect_if_progress, only: [:new, :create]
  before_action :redirect_if_no_import, only: :show
@@ -51,6 +52,10 @@ class Projects::ImportsController < Projects::ApplicationController
    end
  end

+  def require_namespace_project_creation_permission
+    render_404 unless current_user.can?(:admin_project, @project) || current_user.can?(:create_projects, @project.namespace)
+  end
+
  def redirect_if_progress
    if @project.import_in_progress?
      redirect_to project_import_path(@project)

--- a/changelogs/unreleased/xanf-fix-404-on-import.yml
+++ b/changelogs/unreleased/xanf-fix-404-on-import.yml
+---
+title: Fix 404 when importing project with developer permission
+merge_request: 35667
+author:
+type: fixed
--- a/spec/controllers/projects/imports_controller_spec.rb
+++ b/spec/controllers/projects/imports_controller_spec.rb
@@ -8,10 +8,14 @@ RSpec.describe Projects::ImportsController do

  before do
    sign_in(user)
-    project.add_maintainer(user)
  end

  describe 'GET #show' do
+    context 'when the user has maintainer rights' do
+      before do
+        project.add_maintainer(user)
+      end
+
      context 'when repository does not exists' do
        it 'renders template' do
          get :show, params: { namespace_id: project.namespace.to_param, project_id: project }
@@ -123,11 +127,46 @@ RSpec.describe Projects::ImportsController do
      end
    end

+    context 'when project is in group' do
+      let(:project) { create(:project_empty_repo, import_url: 'https://github.com/vim/vim.git', namespace: group) }
+
+      context 'when user has developer access to group and import is in progress' do
+        let(:import_state) { project.import_state }
+
+        before do
+          group.add_developer(user)
+          import_state.update!(status: :started)
+        end
+
+        context 'when group allows developers to create projects' do
+          let(:group) { create(:group, project_creation_level: Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS) }
+
+          it 'renders template' do
+            get :show, params: { namespace_id: project.namespace.to_param, project_id: project }
+
+            expect(response).to render_template :show
+          end
+        end
+
+        context 'when group prohibits developers to create projects' do
+          let(:group) { create(:group, project_creation_level: Gitlab::Access::MAINTAINER_PROJECT_ACCESS) }
+
+          it 'returns 404 response' do
+            get :show, params: { namespace_id: project.namespace.to_param, project_id: project }
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+      end
+    end
+  end
+
  describe 'POST #create' do
    let(:params) { { import_url: 'https://github.com/vim/vim.git', import_url_user: 'user', import_url_password: 'password' } }
    let(:project) { create(:project) }

    before do
+      project.add_maintainer(user)
      allow(RepositoryImportWorker).to receive(:perform_async)

      post :create, params: { project: params, namespace_id: project.namespace.to_param, project_id: project }