Commit 71f389d3 authored by Robert Speicher's avatar Robert Speicher

Merge branch 'master' of dev.gitlab.org:gitlab/gitlab-ee

parents 46de7e6b 1337490c
Please view this file on the master branch, on stable branches it's out of date.
## 12.2.5
### Security (1 change)
- Do not allow creation of projects from group templates if project is not descendant of that group.
## 12.2.4
### Fixed (1 change)
......
......@@ -2,6 +2,13 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
## 12.2.5
### Security (1 change)
- Upgrade pages to 1.7.2.
## 12.2.4
### Fixed (7 changes)
......
---
title: Upgrade pages to 1.8.1
merge_request:
author:
type: security
......@@ -10,6 +10,11 @@ module EE
def execute
return super unless use_custom_template?
if subgroup_id && !valid_project_namespace?
project.errors.add(:namespace, _("is not a descendant of the Group owning the template"))
return project
end
override_params = params.dup
params[:custom_template] = template_project if template_project
......@@ -34,7 +39,21 @@ module EE
end
def subgroup_id
params[:group_with_project_templates_id].presence
@subgroup_id ||= params.delete(:group_with_project_templates_id).presence
end
# rubocop: disable CodeReuse/ActiveRecord
def valid_project_namespace?
templates_owner = ::Group.find(subgroup_id).parent
return false unless templates_owner
templates_owner.self_and_descendants.exists?(id: project.namespace_id)
end
# rubocop: enable CodeReuse/ActiveRecord
def project
@project ||= ::Project.new(namespace_id: params[:namespace_id])
end
end
end
......
---
title: Do not allow creation of projects from group templates if project is not descendant
of that group
merge_request:
author:
type: security
......@@ -160,6 +160,14 @@ describe Projects::CreateFromTemplateService do
it_behaves_like 'a project that isn\'t persisted'
end
context 'when project is created outside of group hierarchy' do
let(:user) { create(:user) }
let(:project) { create(:project, :public, namespace: user.namespace) }
let(:namespace_id) { user.namespace_id }
it_behaves_like 'a project that isn\'t persisted'
end
end
context 'when the namespace is inside the hierarchy of the Group owning the template' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment