Merge branch 'security-custom-templates-source-code-disclosure-17-1' into '17-1-stable-ee'

Add permissions check to project creations from a project template

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4445



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Gavin Hinfey <ghinfey@gitlab.com>
Co-authored-by: Fred Reinink <freinink@gitlab.com>

ee/app/services/ee/projects/create_from_template_service.rb

@@ -64,7 +64,8 @@ def template_project
               current_user.available_custom_project_templates(search: template_name, subgroup_id: subgroup_id)
             end
-          templates.first
+          template = templates.first
+          can?(current_user, :read_code, template) ? template : nil
         end
       end

ee/spec/services/projects/create_from_template_service_spec.rb

@@ -213,5 +213,30 @@
         end
       end
     end
+
+    context 'when current_user does not have read_code permissions to the template_project' do
+      let(:group_with_project_templates_id) { subgroup_1.id }
+      let(:project_template) { create(:project, :private, :metrics_dashboard_enabled, namespace: subgroup_1) }
+      let(:namespace_id) { subgroup_2.id }
+
+      before do
+        project_params.delete(:template_name)
+        project_params[:template_project_id] = project_template.id
+
+        group.update!(custom_project_templates_group_id: subgroup_1.id)
+        subgroup_1.add_guest(user)
+        subgroup_2.add_maintainer(user)
+      end
+
+      it "isn't persisted" do
+        project = subject.execute
+
+        expect(project.errors&.first&.full_message).to match(
+          "Template project #{project_template.id} is unknown or invalid"
+        )
+        expect(project).not_to be_saved
+        expect(project.repository.empty?).to eq(true)
+      end
+    end
   end
 end