# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2017-10-26 08:14:38
# Node ID af6ecbb04c77688fecbd12ce0b91fd6b624b93ca
# Parent  906096771f2e869bb32b87d1fdc31cb64aea7107

repo-forks: stable, security, fix issue when forging fork_repo_id could allow reading other people forks.

diff --git a/rhodecode/controllers/forks.py b/rhodecode/controllers/forks.py
--- a/rhodecode/controllers/forks.py
+++ b/rhodecode/controllers/forks.py
@@ -163,10 +163,13 @@ class ForksController(BaseRepoController
         _form = RepoForkForm(old_data={'repo_type': c.repo_info.repo_type},
                              repo_groups=c.repo_groups_choices,
                              landing_revs=c.landing_revs_choices)()
+        post_data = dict(request.POST)
+        post_data['fork_parent_id'] = c.repo_info.repo_id
+
         form_result = {}
         task_id = None
         try:
-            form_result = _form.to_python(dict(request.POST))
+            form_result = _form.to_python(post_data)
             # create fork is done sometimes async on celery, db transaction
             # management is handled there.
             task = RepoModel().create_fork(