Unable to delete system notes of any user using Notes API
Summary
Previously (~v10.1.7
), it was possible to use the Notes API to delete system notes of any user. Since v10.7
and because of https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18136 (I think) this is no longer possible.
- Was being able to delete system notes of any user originally unintended or intended behavior?
Steps to reproduce
- Create a new user
- Add a personal access token with full
api
scope - Try to delete any system note using Notes API
Example Project
N/A
What is the current bug behaviour?
When attempting to delete a system note not owned by the token user, a 403: Forbidden error is received.
What is the expected correct behaviour?
The system note should be deleted.
BUT: I'm opening this issue partly to clarify if the previous behaviour was even intended.
Context
The customer has detailed their use case (from Zendesk ticket, internal use), which I am copying below:
My use case is that I maintain a gitlab mirror of an external gitlab project. The mirror uses the gitlab mirror functionality to automatically keep the repo up to date and works very well. However, I also desire to mirror the Issue tracker and Merge Requests from the external gitlab project, which is functionality that the automatic gitlab mirror feature lacks.
So, I wrote a bot that uses the gitlab REST API to keep these additional data mirrored, however, every time the bot modifies the mirrored Issue/MR a system note is automatically created specifying the change that the bot made. Mixing the internal workings of the mirror with the real system notes mirrored from the external repo is verbose and at best confusing to users. I know there’s a way to hide system notes, but each user would have to do that individually and writing in a simple routine to cull mirror bot system notes seemed preferable.
Output of checks
(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Debian 8.11 Proxy: no Current User: git Using RVM: no Ruby Version: 2.5.3p105 Gem Version: 2.7.6 Bundler Version:1.16.6 Rake Version: 12.3.2 Redis Version: 3.2.12 Git Version: 2.18.1 Sidekiq Version:5.2.5 Go Version: unknown
GitLab information Version: 11.8.1-ee Revision: 39d0b2e Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql DB Version: 9.6.11 URL: https://gitlab-test.weimeng.co HTTP Clone URL: https://gitlab-test.weimeng.co/some-group/some-project.git SSH Clone URL: git@gitlab-test.weimeng.co:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers:
GitLab Shell Version: 8.4.4 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 8.4.4 ? ... OK (8.4.4) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 51/1 ... yes 51/2 ... yes 52/3 ... yes 52/4 ... yes 52/5 ... yes 53/6 ... yes 53/7 ... yes 53/8 ... yes 53/9 ... yes 53/10 ... yes 53/11 ... yes 53/12 ... yes 53/13 ... yes 53/14 ... yes 53/15 ... yes 54/16 ... yes 54/17 ... yes 54/18 ... yes 54/19 ... yes 54/20 ... yes 54/21 ... yes 55/22 ... yes 55/23 ... yes 56/24 ... yes 56/25 ... yes 56/26 ... yes 56/27 ... yes 56/28 ... yes 57/29 ... yes 57/30 ... yes 57/31 ... yes 57/32 ... yes 57/33 ... yes 57/34 ... yes 57/35 ... yes 57/36 ... yes 57/37 ... yes 58/38 ... yes 58/39 ... yes 58/40 ... yes 58/41 ... yes 58/42 ... yes 59/43 ... yes 59/44 ... yes 59/45 ... yes 59/46 ... yes 59/47 ... yes 59/48 ... yes 59/49 ... yes 59/50 ... yes 59/51 ... yes 60/52 ... yes 60/53 ... yes 60/54 ... yes 61/55 ... yes 61/56 ... yes 61/57 ... yes 61/58 ... yes 62/59 ... yes 62/60 ... yes 62/61 ... yes 62/62 ... yes 63/63 ... yes 63/64 ... yes 63/65 ... yes 63/66 ... yes 63/67 ... yes 63/68 ... yes 64/69 ... yes 64/70 ... yes 64/71 ... yes 64/72 ... yes 64/73 ... yes 64/74 ... yes 64/75 ... yes 64/76 ... yes 64/77 ... yes 64/78 ... yes 65/79 ... yes 65/80 ... yes 72/81 ... yes 73/82 ... yes 1/83 ... yes 66/84 ... yes 1/85 ... yes 65/86 ... yes 76/87 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.5.3) Git version >= 2.18.0 ? ... yes (2.18.1) Git user has default SSH configuration? ... yes Active users: ... 54 Elasticsearch version 5.6 - 6.x? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
Don't have a possible fix, but pretty sure the logic happens here: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/policies/note_policy.rb