API Group visibility level incorrectly evaluated.
Summary
When creating/updating a group's visibility levels the incorrect visibility is passed. If the system has restricted visibility (ex: not allowing private) each request from a non-administrator will return a bad request response.
{"message":"Failed to save group {:visibility_level=>[\"internal has been restricted by your GitLab administrator\"]}"}
The API expects a visibility string 'visibility' but the group create service expects a visibility_level integer. Evaluating to 0/private.
https://docs.gitlab.com/ee/api/groups.html#new-group https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/api/groups.rb#L113 https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/services/groups/create_service.rb#L55
optional :visibility, type: String,
values: Gitlab::VisibilityLevel.string_values,
default: Gitlab::VisibilityLevel.string_level(
Gitlab::CurrentSettings.current_application_settings.default_group_visibility),
desc: 'The visibility of the group'
Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/visibility_level.rb#L73
allowed_level?(level.to_i)
Steps to reproduce
- Restrict Private/Public on /admin/application_settings
- Attempt to create a Group with a non-administrator user. 2a. Any params for visibility are ignored (and will return the error message).
Reproduced on 10.5.1
What is the current bug behavior?
Visibility is incorrectly evaluated. declared_params
is sending :visibility, expected is :visibility_level.
What is the expected correct behavior?
Correctly evaluate/set visibility for new/updates
Possible fixes
Convert and pass visibility into visibility_level for group create service:
opts = declared_params(include_missing: false)
opts[:visibility_level] = Gitlab::VisibilityLevel.level_value opts[:visibility]
group = ::Groups::CreateService.new(current_user, opts).execute
Customers
https://gitlab.my.salesforce.com/00161000004zrF8
Internal ZD: https://gitlab.zendesk.com/agent/tickets/92877