Deleting a user does not delete it's repository from disk

Summary

When deleting a user, we expect repositories on their own namespace to also be deleted, but this is not happening.

Steps to reproduce

Create a repository from a new user using it's own user's namespace.
Check the repository and namespace exists in the configured storage.
Login as admin and remove the user
Wait until the sidekiq job finishes
Check the namespace folder and repository still exists

What is the current bug behavior?

Repositories in user own namepsace and user namespace never gets removed from disk

What is the expected correct behavior?

When removing a user it should delete user's own repository in user's own namespace and the user's own namespace.

Why it happens?

This was found as part of the review of https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/13246. The issue is because of the order in which the removal happens.

Since the introduction of multiple storages, the namespace removal code would cycle through all projects associated with it to determine in which storage locations were used.

When removing a user we first remove associated projects, than the user and then the namespace associated with the user's username.

Because we will remove the namespace itself later we don't remove the project's repository from disk as we can speedup things by removing the root folder once.

Also because there are dependencies around the namespace, we can't change the order here. In the namespace removal code we ask associated projects for it's .repository_storage_path and we use that in an after_destroy hook to remove the namespace directory (and whatever is inside it).

As the projects are already removed we always have nil as storage locations and therefore we remove none namespace directory.

Possible fixes

This is very similar to how group's removal works, and the fix is also similar. The before_destroy call that is part of the namespace model definition: prepare_for_destroy should be called in the DestroyService, before removing the associated projects, so we can store the storage locations which can be used by the .really_destroy! method.

Security release

As we discovered that this also allows a repository to be exploited in under some circumstances, we are going to release fix for 9.5, 9.4 and 9.3

Security MR for master - https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2169
Security MR for 9.5 - https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2170
Security MR for 9.4 - https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2171
Security MR for 9.3 - https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2172

Edited Aug 28, 2017 by Gabriel Mazetto