Merge branch 'sh-fix-issue-29739' into 'master'

app/controllers/import/bitbucket_controller.rb

@@ -44,15 +44,15 @@ class Import::BitbucketController < Import::BaseController
 
     repo_owner = repo.owner
     repo_owner = current_user.username if repo_owner == bitbucket_client.user.username
-    @target_namespace = params[:new_namespace].presence || repo_owner
+    namespace_path = params[:new_namespace].presence || repo_owner
 
-    namespace = find_or_create_namespace(@target_namespace, current_user)
+    @target_namespace = find_or_create_namespace(namespace_path, current_user)
 
-    if current_user.can?(:create_projects, namespace)
+    if current_user.can?(:create_projects, @target_namespace)
       # The token in a session can be expired, we need to get most recent one because
       # Bitbucket::Connection class refreshes it.
       session[:bitbucket_token] = bitbucket_client.connection.token
-      @project = Gitlab::BitbucketImport::ProjectCreator.new(repo, @project_name, namespace, current_user, credentials).execute
+      @project = Gitlab::BitbucketImport::ProjectCreator.new(repo, @project_name, @target_namespace, current_user, credentials).execute
     else
       render 'unauthorized'
     end

spec/controllers/import/bitbucket_controller_spec.rb

@@ -112,6 +112,17 @@ describe Import::BitbucketController do
           post :create, format: :js
         end
       end
+
+      context 'when the Bitbucket user is unauthorized' do
+        render_views
+
+        it 'returns unauthorized' do
+          allow(controller).to receive(:current_user).and_return(user)
+          allow(user).to receive(:can?).and_return(false)
+
+          post :create, format: :js
+        end
+      end
     end
 
     context "when the repository owner is not the Bitbucket user" do