Renaming a group after first invalid rename ends with an 404
Summary
When a user wants to rename a group but chooses the existing namespace at first 404 is returned after the second submit (with correct non existing name)
Steps to reproduce
Renaming a group
- Create a new group (skip this step if you want to test on the existing one)
- Go to group - settings
- Fill existing namespace to "Group name" field (eg. "jarka")
- Click submit
- You can see an error message saying the path has been already taken ("Route path has already been taken Route is invalid") and are again on the settings form - this is correct.
- Enter a new name (valid non existing one) into the "Group name" and click submit
- You get 404 page while the request is
POST gitlab-domain/group-name-from-step-3
(POST https://gitlab.com/jarka in case of my example)
The problem is even bigger - example:
I have 2 groups with paths group-a
and group-b
. I want to rename group-a
- I go the settings and try to rename to group-b
. I get an error that the route has been taken. So I try another path, eg. group-bbb
- this route is valid. But because the POST targets /group-b
now as described above the group-b
is renamed instead of group-a (no error in this case). This happens only in case I can update both groups and can rename it back so I think it is not a security issue.
What is the current bug behavior?
404 error page
What is the expected correct behavior?
The group should be renamed correctly
Output of checks
This bug happens on GitLab.com
Possible fixes
We try to update @group
from the GroupsController
in Groups::UpdateService
. First we assign attributes and when the save
fails we render the edit form again. We call @group.restore_path!
in the controller, it sets the path back correctly however in the view, where we use = form_for @group, html: { multipart: true, class: "form-horizontal gl-show-field-errors" }, authenticity_token
the attempted path (the existing one) is set anyway.
Simple @group.reload
fixes the problem but I am not sure it is the best way how to do it.
/cc @mydigitalself