# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2017-10-15 16:54:52
# Node ID f94ee74b785f20c6de85aa3b9b0920033795db96
# Parent  01313011d46d8fa8248ce00bb1d808f81e1022dc

repo-forks: security, fix issue when forging fork_repo_id could allow reading
other people forks.

diff --git a/rhodecode/apps/admin/views/repositories.py b/rhodecode/apps/admin/views/repositories.py
--- a/rhodecode/apps/admin/views/repositories.py
+++ b/rhodecode/apps/admin/views/repositories.py
@@ -63,6 +63,7 @@ class AdminReposView(BaseAppView, DataGr
 
     @LoginRequired()
     @NotAnonymous()
+    # perms check inside
     @view_config(
         route_name='repos', request_method='GET',
         renderer='rhodecode:templates/admin/repos/repos.mako')
diff --git a/rhodecode/apps/repository/views/repo_forks.py b/rhodecode/apps/repository/views/repo_forks.py
--- a/rhodecode/apps/repository/views/repo_forks.py
+++ b/rhodecode/apps/repository/views/repo_forks.py
@@ -212,10 +212,15 @@ class RepoForksView(RepoAppView, DataGri
         _form = RepoForkForm(old_data={'repo_type': self.db_repo.repo_type},
                              repo_groups=c.repo_groups_choices,
                              landing_revs=c.landing_revs_choices)()
+        post_data = dict(self.request.POST)
+
+        # forbid injecting other repo by forging a request
+        post_data['fork_parent_id'] = self.db_repo.repo_id
+
         form_result = {}
         task_id = None
         try:
-            form_result = _form.to_python(dict(self.request.POST))
+            form_result = _form.to_python(post_data)
             # create fork is done sometimes async on celery, db transaction
             # management is handled there.
             task = RepoModel().create_fork(