You need to sign in or sign up before continuing.
Non-private projects can be created in private groups
Summary
When creating a project inside a private
group, the default selected visibility is internal
, even though it is grayed out and states this in the UI:
This project cannot be internal because the visibility of private-group is private. To make this project internal, you must first change the visibility of the parent group.
Prior to 11.11, this allowed the action to go through, leading to information disclosure. The backend piece is fixed now though.
Steps to reproduce
- As an admin, set the default visibility to
internal
for the site - As a regular user, create a
private
group - As a regular user, create a project inside the
private
group, but do not submit - As a regular user, note that the default selection is not
private
What is the current bug behavior?
Non-private project is created inside my private
group
What is the expected correct behavior?
Project creation is rejected because internal
projects can't be inside a private
group
Relevant logs and/or screenshots
Screenshot on self-hosted instance (bug is present):
Results of GitLab environment info
System information
System: CentOS 7.5.1804
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.5.3p105
Gem Version: 2.7.9
Bundler Version:1.17.3
Rake Version: 12.3.2
Redis Version: 3.2.12
Git Version: 2.21.0
Sidekiq Version:5.2.7
Go Version: unknown
GitLab information
Version: 11.11.0-ee
Revision: deb6f84e91f
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 9.6.11
URL: https://git.dev.knack.works
HTTP Clone URL: https://git.dev.knack.works/some-group/some-project.git
SSH Clone URL: git@git.dev.knack.works:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: yes
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 9.1.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
All tests passed.
Possible fixes
Seems likely related to this issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/52644
Edited by Aron Parsons