Group membership does not expire, cannot remove user manually
Summary
Group membership given with expire date does not expire, GitLab GUI offers no way to remove the user from the group. API results in "403 forbidden".
Steps to reproduce
- Give user role in group (happened for "Owner" rights for me)
- Set expire date
- Wait for expire date to pass
- See that user still has permission although expire date is shown in the past
- Be unable to remove permission via GUI or API
Example Project
What is the current bug behavior?
On Feb 8, 2019 I gave my account Owner rights in a group I needed to move some projects to. I set the expire date to Feb 9, 2019 to not have to care about removing the permission again when I'm done.
Today (Feb 11, 2019) the permission is still there, still showing to expire on Feb 9, 2019 which for some reason GitLab interprets to be "in 2 days". The system time of the GitLab server is correct though.
There is no way for me to remove my user from the group any more. A button to remove myself is missing from the GUI and using the API results in 403: forbidden
What is the expected correct behavior?
Expiration should work and remove permission at the specified date.
Relevant logs and/or screenshots
Answer of DELETE call to api/v4/groups/:group_id/members/:user_id authorized as root
{
"message": "403 Forbidden"
}
Expired user shown even after expire date is over (date output from GitLab server shell)
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
gitlab-rake gitlab:env:info
System information System: Proxy: no Current User: git Using RVM: no Ruby Version: 2.5.3p105 Gem Version: 2.7.6 Bundler Version:1.16.6 Rake Version: 12.3.2 Redis Version: 3.2.12 Git Version: 2.18.1 Sidekiq Version:5.2.3 Go Version: unknown
GitLab information Version: 11.7.5-ee Revision: ed04633 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql DB Version: 9.6.8 URL: https://gitlab.[redacted by submitter] HTTP Clone URL: https://gitlab.[redacted by submitter]/some-group/some-project.git SSH Clone URL: git@gitlab.[redacted by submitter]:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers:
GitLab Shell Version: 8.4.4 Repository storage paths:
- default: /gitlab-data/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
gitlab-rake gitlab:check SANITIZE=true Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 8.4.4 ? ... OK (8.4.4) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK
Access to /gitlab-data/home/.ssh/authorized_keys: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 20/5 ... yes 22/7 ... yes 20/9 ... yes 20/10 ... yes 30/11 ... yes 45/12 ... yes 30/13 ... yes 30/15 ... yes 19/16 ... yes 14/17 ... yes 43/18 ... yes 17/19 ... yes 65/21 ... yes 68/22 ... yes 68/23 ... yes 45/24 ... yes 30/25 ... yes 45/26 ... yes 46/27 ... yes 101/28 ... yes 101/30 ... yes 68/34 ... yes 68/35 ... yes 68/36 ... yes 68/37 ... yes 68/38 ... yes 68/39 ... yes 68/41 ... yes 120/42 ... yes 60/45 ... yes 115/46 ... yes 68/47 ... yes 115/48 ... yes 121/49 ... yes 60/50 ... yes 68/51 ... yes 106/52 ... yes 47/54 ... yes 86/55 ... yes 79/56 ... yes 115/57 ... yes 46/58 ... yes 122/59 ... yes 123/61 ... yes 68/63 ... yes 106/64 ... yes 9/65 ... yes 9/66 ... yes 8/67 ... yes 106/68 ... yes 8/69 ... yes 47/70 ... yes 46/71 ... yes 60/72 ... yes 60/73 ... yes 60/74 ... yes 8/75 ... yes 8/76 ... yes 78/77 ... yes 8/79 ... yes 8/80 ... yes 8/81 ... yes 8/82 ... yes 8/83 ... yes 8/84 ... yes 8/85 ... yes 8/86 ... yes 8/87 ... yes 8/88 ... yes 32/89 ... yes 68/90 ... yes 47/91 ... yes 68/92 ... yes 139/93 ... yes 93/95 ... yes 78/96 ... yes 68/97 ... yes 78/98 ... yes 39/99 ... yes 46/100 ... yes 45/101 ... yes 29/103 ... yes 20/104 ... yes 30/105 ... yes 8/106 ... yes 9/107 ... yes 9/108 ... yes 101/111 ... yes 79/113 ... yes 79/114 ... yes 79/115 ... yes 79/116 ... yes 79/117 ... yes 86/118 ... yes 9/119 ... yes 60/120 ... yes 60/121 ... yes 158/122 ... yes 9/123 ... yes 9/124 ... yes 180/125 ... yes 9/126 ... yes 192/127 ... yes 75/128 ... yes 192/129 ... yes 9/131 ... yes 46/132 ... yes 176/133 ... yes 180/134 ... yes 187/135 ... yes 187/136 ... yes 9/137 ... yes 141/138 ... yes 30/139 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.5.3) Git version >= 2.18.0 ? ... yes (2.18.1) Git user has default SSH configuration? ... yes Active users: ... [redacted by submitter] Elasticsearch version 5.6 - 6.x? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
unknown