User with guest role can fork project and therefore gain access to the code

Currently we do not check permissions in ForkService.

It is possible to fork project (for example using API) if only user has a read_project ability (guests do). User can easily bypass restrictions on downloading code (accessing code is available to reporter role and greater).

This can be considered as a security issue. /cc @DouweM

MR in https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1996

Reassigned to @nick.thomas

Milestone changed to %8.12

Added ~480950 label

Milestone changed to %8.13

Mentioned in commit fe93a9b4

Made the issue visible

Made the issue confidential

Made the issue visible

Should this issue be visible yet? There hasn't been a blog post about the update yet.

/cc @rymai @rdavila

@rabbitfang good call, the blog post is being deployed but I'll mark it as confidential in the meantime.

Made the issue confidential

Made the issue visible

Status changed to closed by merge request gitlab-org/gitlab-ee!767

mentioned in merge request !14785