Fix project visibility level validation

app/models/project.rb

@@ -335,8 +335,8 @@ class Project < ActiveRecord::Base
   validates :star_count, numericality: { greater_than_or_equal_to: 0 }
   validate :check_personal_projects_limit, on: :create
   validate :check_repository_path_availability, on: :update, if: ->(project) { project.renamed? }
-  validate :visibility_level_allowed_by_group, if: -> { changes.has_key?(:visibility_level) }
-  validate :visibility_level_allowed_as_fork, if: -> { changes.has_key?(:visibility_level) }
+  validate :visibility_level_allowed_by_group, if: :should_validate_visibility_level?
+  validate :visibility_level_allowed_as_fork, if: :should_validate_visibility_level?
   validate :check_wiki_path_conflict
   validate :validate_pages_https_only, if: -> { changes.has_key?(:pages_https_only) }
   validates :repository_storage,
@@ -870,6 +870,10 @@ class Project < ActiveRecord::Base
     self.errors.add(:limit_reached, error % { limit: limit })
   end
+  def should_validate_visibility_level?
+    new_record? || changes.has_key?(:visibility_level)
+  end
+
   def visibility_level_allowed_by_group
     return if visibility_level_allowed_by_group?

changelogs/unreleased/fix-project-visibility-level-validation.yml

+---
+title: Fix project visibility level validation
+merge_request:
+author: Peter Marko
+type: security

spec/models/project_spec.rb

@@ -220,6 +220,13 @@ describe Project do
       expect(project2).not_to be_valid
     end
+    it 'validates the visibility' do
+      expect_any_instance_of(described_class).to receive(:visibility_level_allowed_as_fork).and_call_original
+      expect_any_instance_of(described_class).to receive(:visibility_level_allowed_by_group).and_call_original
+
+      create(:project)
+    end
+
     describe 'wiki path conflict' do
       context "when the new path has been used by the wiki of other Project" do
         it 'has an error on the name attribute' do