Access level displayed on Project Members page is from parent group, but actual level is from sub-group
Summary
The access level displayed on Project Members page is taken from the parent group, even though the actual level is inherited/overridden from a sub-group. This is misleading and can lead to incorrect security audits.
Steps to reproduce
- Create a new group and add a user as a reporter
- Add a new repo to the group and confirm the users access level is as expected
- Create a new sub-group and add the original user as a developer
- Share the repo to the sub group with developer access level
- Confirm that the user can now write to this repo
- Observe access displayed on project members page is inconsistent with actual access level.
Example Project
- Project: https://gitlab.com/access-levels-parent/access-ghosting
- Parent group: https://gitlab.com/access-levels-parent
- Sub-group: https://gitlab.com/access-levels-parent/access-levels-sub
What is the current bug behavior?
Access level displayed on Project page is that of the parent group
What is the expected correct behavior?
Highest level of access inherited
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Edited by Denham Coote