updated controllers with permissions check

app/controllers/import/gitlab_project_controller.rb

@@ -1,45 +0,0 @@
-class Import::GitlabProjectController < Import::BaseController
-  before_action :verify_gitlab_project_import_enabled
-  before_action :gitlab_project_auth, except: :callback
-
-  rescue_from OAuth::Error, with: :gitlab_project_unauthorized
-
-  #TODO permissions stuff
-
-  def callback
-
-    redirect_to status_import_gitlab_project_url
-  end
-
-  def status
-    @repos = client.projects
-    @incompatible_repos = client.incompatible_projects
-
-    @already_added_projects = current_user.created_projects.where(import_type: "gitlab_project")
-    already_added_projects_names = @already_added_projects.pluck(:import_source)
-
-    @repos.to_a.reject!{ |repo| already_added_projects_names.include? "#{repo["owner"]}/#{repo["slug"]}" }
-  end
-
-  def jobs
-    jobs = current_user.created_projects.where(import_type: "gitlab_project").to_json(only: [:id, :import_status])
-    render json: jobs
-  end
-
-  def create
-    @file = params[:file]
-
-    repo_owner = current_user.username
-    @target_namespace = params[:new_namespace].presence || repo_owner
-
-    # namespace = get_or_create_namespace || (render and return)
-
-    @project = Gitlab::ImportExport::ImportService.execute(archive_file: file, owner: repo_owner)
-  end
-
-  private
-
-  def verify_gitlab_project_import_enabled
-    render_404 unless gitlab_project_import_enabled?
-  end
-end

app/controllers/import/gitlab_projects_controller.rb

@@ -1,44 +1,39 @@
 class Import::GitlabProjectsController < Import::BaseController
   before_action :verify_gitlab_project_import_enabled
-  #before_action :gitlab_project_auth, except: :callback
+  before_action :verify_project_and_namespace_access
 
   rescue_from OAuth::Error, with: :gitlab_project_unauthorized
 
-  #TODO permissions stuff
-
   def new
     @namespace_id = project_params[:namespace_id]
     @path = project_params[:path]
   end
 
-  def status
-
-  end
-
-  def jobs
-    jobs = current_user.created_projects.where(import_type: "gitlab_project").to_json(only: [:id, :import_status])
-    render json: jobs
-  end
-
   def create
-    # TODO verify access to namespace and path
-    file = params[:file]
-    namespace_id = project_params[:namespace_id]
-    path = project_params[:path]
-
-    repo_owner = current_user.username
-    @target_namespace = params[:new_namespace].presence || repo_owner
-
     @project = Project.create_from_import_job(current_user_id: current_user.id,
-                                              tmp_file: File.expand_path(file.path),
-                                              namespace_id: namespace_id,
-                                              project_path: path)
+                                              tmp_file: File.expand_path(params[:file].path),
+                                              namespace_id: project_params[:namespace_id],
+                                              project_path: project_params[:path])
 
-    redirect_to status_import_gitlab_project_path
+    redirect_to dashboard_projects_path
   end
 
   private
 
+  def verify_project_and_namespace_access
+    unless namespace_access? && project_access?
+      render_403
+    end
+  end
+
+  def project_access?
+    can?(current_user, :admin_project, @project)
+  end
+
+  def namespace_access?
+    current_user.can?(:create_projects, Namespace.find(project_params[:namespace_id]))
+  end
+
   def verify_gitlab_project_import_enabled
     render_404 unless gitlab_project_import_enabled?
   end

app/controllers/projects_controller.rb

@@ -7,7 +7,7 @@ class ProjectsController < Projects::ApplicationController
   before_action :assign_ref_vars, :tree, only: [:show], if: :repo_exists?
 
   # Authorize
-  before_action :authorize_admin_project!, only: [:edit, :update, :housekeeping]
+  before_action :authorize_admin_project!, only: [:edit, :update, :housekeeping, :download_export, :export]
   before_action :event_filter, only: [:show, :activity]
 
   layout :determine_layout