[go: up one dir, main page]
Skip to content

Inherited member permissions aren't applying

Summary

When making an API request UserA receives an empty response from the approval_rules API. Once UserA is given explicit "developer" access to the approval-groupA

Also, when adding a group comprised of members with inherited permissions from a parent group to approval rules, they are not appearing.

Empty Response 
curl -X GET --header "PRIVATE-TOKEN: <UserA token with api>" https://gitlab.com/api/v4/projects/21372027/approval_rules

[{"id":518123,
  "name":"approval-group",
  "rule_type":
  "regular",
  "eligible_approvers":[],
  "approvals_required":1,
  "users":[],
  "groups":[],
  "contains_hidden_groups":true,
  "protected_branches":[]
}]
Full response after adding explicit membership 
curl -X GET --header "PRIVATE-TOKEN: <UserA token with api>" https://gitlab.com/api/v4/projects/21372027/approval_rules

[
   {
      "id":518123,
      "name":"approval-group",
      "rule_type":"regular",
      "eligible_approvers":[
         {
            "id":4868295,
            "name":"Michael Lussier",
            "username":"m_lussier",
            "state":"active",
            "avatar_url":"https://assets.gitlab-static.net/uploads/-/system/user/avatar/4868295/avatar.png",
            "web_url":"https://gitlab.com/m_lussier"
         },
         {
            "id":7187833,
            "name":"fakeman guylast",
            "username":"fakemanguytest",
            "state":"active",
            "avatar_url":"https://secure.gravatar.com/avatar/4923321730d0485e3c6c0c65c95829be?s=80\u0026d=identicon",
            "web_url":"https://gitlab.com/fakemanguytest"
         }
      ],
      "approvals_required":1,
      "users":[
         
      ],
      "groups":[
         {
            "id":9500267,
            "web_url":"https://gitlab.com/groups/test-gold-group1/approval-groupa",
            "name":"approval-groupA",
            "path":"approval-groupa",
            "description":"",
            "visibility":"private",
            "share_with_group_lock":false,
            "require_two_factor_authentication":false,
            "two_factor_grace_period":48,
            "project_creation_level":"developer",
            "auto_devops_enabled":null,
            "subgroup_creation_level":"maintainer",
            "emails_disabled":null,
            "mentions_disabled":null,
            "lfs_enabled":true,
            "default_branch_protection":2,
            "avatar_url":null,
            "request_access_enabled":true,
            "full_name":"test-gold-group / approval-groupA",
            "full_path":"test-gold-group1/approval-groupa",
            "created_at":"2020-09-25T19:46:57.692Z",
            "parent_id":9500051,
            "ldap_cn":null,
            "ldap_access":null,
            "marked_for_deletion_on":null
         }
      ],
      "contains_hidden_groups":false,
      "protected_branches":[
         
      ]
   }
]

Missing approvers from inherited group comprised of members with inherited permissions: https://gitlab.com/test-gold-group1/project-groupa/projecta

Screenshots of behavior

Screen_Shot_2020-10-07_at_5.57.03_PM

Screen_Shot_2020-10-07_at_5.57.09_PM

Screen_Shot_2020-10-07_at_5.58.48_PM

Steps to reproduce

UserA will have this "Empty Response" specifically with this setup:

groupA <-- UserA & UserB has developer access here


approval-group

A <-- UserB with developer access, group used for approval rule in project project-group

A
projectA <-- approval rule linked to approval-group

UserA will have this "Full Response (expected)", UserA given explicit developer access to approval-groupA:

groupA <-- UserA & UserB has developer access here


approval-group

A <-- UserA given explicit "developer" access instead of just inherited project-group

A
projectA <-- approval rule linked to approval-group

Complete successful API response for call to approval_rules

Example Project

groupA: https://gitlab.com/test-gold-group1

project-group

A: https://gitlab.com/test-gold-group1/project-groupa

projectA: https://gitlab.com/test-gold-group1/project-groupa/projecta

approval-group

A: https://gitlab.com/test-gold-group1/approval-groupa

What is the current bug behavior?

When making an API request UserA receives an empty response from the approval_rules API.

What is the expected correct behavior?

When making an API request UserA receives an full response from the approval_rules API without explicit "developer" access to approval-groupA.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by Michael Lussier