Merge branch...

Merge branch 'security-506-import-pending-members-from-public-projects-or-private-projects-if-you-have-guest-role' into 'master'

Project members import authorization fix

See merge request gitlab-org/security/gitlab!1818

app/controllers/projects/project_members_controller.rb

@@ -34,13 +34,13 @@ class Projects::ProjectMembersController < Projects::ApplicationController
   end
 
   def import
-    @projects = current_user.authorized_projects.order_id_desc
+    @projects = Project.visible_to_user_and_access_level(current_user, Gitlab::Access::MAINTAINER).order_id_desc
   end
 
   def apply_import
     source_project = Project.find(params[:source_project_id])
 
-    if can?(current_user, :read_project_member, source_project)
+    if can?(current_user, :admin_project_member, source_project)
       status = @project.team.import(source_project, current_user)
       notice = status ? "Successfully imported" : "Import failed"
     else

spec/controllers/projects/project_members_controller_spec.rb

@@ -624,9 +624,9 @@ RSpec.describe Projects::ProjectMembersController do
       end
     end
 
-    context 'when user can access source project members' do
+    context 'when user can admin source project members' do
       before do
-        another_project.add_guest(user)
+        another_project.add_maintainer(user)
       end
 
       include_context 'import applied'
@@ -640,7 +640,11 @@ RSpec.describe Projects::ProjectMembersController do
       end
     end
 
-    context 'when user is not member of a source project' do
+    context "when user can't admin source project members" do
+      before do
+        another_project.add_developer(user)
+      end
+
       include_context 'import applied'
 
       it 'does not import team members' do