Admins can push on protected branches without permission
Summary
On protected branches, when push action is restricted to only one user, other users can still push if they are admins.
Steps to reproduce
- Have two users: User 1, and User 2. User 2 is Admin.
- protect a branch (master?)
- allow only one user (User 1) to push (0 roles, 1 user, 0 groups)
- push on the protected branch as User 2
What is the current bug behavior?
Push as User 2 is accepted.
Note that it appears the push is correctly rejected when User 2 is a regular user.
Push is also correctly rejected when NO user is allowed to push.
What is the expected correct behavior?
Push as User 2 should be rejected.
Relevant logs and/or screenshots
When another user is allowed to push to protected branch, pushing as User 2 (admin) incorrect behavior:
Pushing to git@gitlab.xxx.yyy:GROUP/REPO.git
Counting objects: 6, done.
Writing objects: 100% (6/6), 514 bytes | 514.00 KiB/s, done.
Total 6 (delta 4), reused 0 (delta 0)
To gitlab.xxx.yyy:GROUP/REPO.git
2c5012f06..dcdb9a87f master -> master
updating local tracking ref 'refs/remotes/origin/master'When no user is allowed to push to protected branch, pushing as User 2 (admin) (correct behavior):
Pushing to git@gitlab.xxx.yyy:GROUP/REPO.git
Counting objects: 6, done.
Writing objects: 100% (6/6), 514 bytes | 514.00 KiB/s, done.
Total 6 (delta 4), reused 0 (delta 0)
remote: GitLab: You are not allowed to push code to protected branches on this project.
To gitlab.xxx.yyy:GROUP/REPO.git
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'git@gitlab.xxx.yyy:GROUP/REPO.git'Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Debian 9.1 Proxy: no Current User: git Using RVM: no Ruby Version: 2.3.6p384 Gem Version: 2.6.13 Bundler Version:1.13.7 Rake Version: 12.3.0 Redis Version: 3.2.11 Git Version: 2.14.3 Sidekiq Version:5.0.5 Go Version: unknown
GitLab information Version: 10.7.3-ee Revision: 584a495 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql DB Version: 9.6.8 URL: https://gitlab.xxx.yyy HTTP Clone URL: https://gitlab.xxx.yyy/some-group/some-project.git SSH Clone URL: git@gitlab.xxx.yyy:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: yes Using Omniauth: no
GitLab Shell Version: 7.1.2 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab Shell ...
GitLab Shell version >= 7.1.2 ? ... OK (7.1.2) Repo base directory exists? default... yes Repo storage directories are symlinks? default... no Repo paths owned by git:root, or git:git? default... yes Repo paths access is drwxrws---? default... yes hooks directories in repos are links: ... 4/3 ... ok 4/4 ... ok 7/8 ... ok 7/9 ... ok 4/10 ... ok 9/11 ... ok 4/13 ... ok 7/14 ... ok 7/15 ... ok 23/23 ... ok 22/35 ... ok 22/36 ... ok 24/40 ... ok 7/41 ... ok 7/42 ... ok 7/43 ... ok 7/44 ... ok 37/45 ... ok 24/47 ... ok 22/49 ... ok 22/51 ... ok 48/52 ... ok 50/53 ... ok 51/54 ... ok 22/55 ... ok 22/56 ... ok 22/57 ... ok 7/58 ... ok 23/59 ... repository is empty 7/61 ... ok 7/62 ... ok 7/64 ... ok 7/70 ... ok 56/71 ... ok 7/72 ... ok 61/73 ... ok 61/74 ... ok 61/75 ... ok 61/76 ... ok 51/77 ... ok 7/78 ... ok 7/79 ... ok 7/81 ... ok 7/82 ... ok 7/83 ... ok 7/84 ... ok 7/85 ... ok 7/86 ... ok 7/87 ... ok 7/88 ... ok 7/89 ... ok 7/90 ... ok 7/91 ... ok 37/92 ... ok 7/93 ... ok 22/94 ... ok 22/95 ... ok 7/96 ... ok 7/97 ... ok 7/98 ... ok 7/99 ... ok 7/100 ... ok 7/101 ... ok 7/102 ... ok 7/103 ... ok 7/104 ... ok 53/105 ... ok 22/108 ... ok 56/109 ... ok 53/110 ... ok 22/111 ... ok 56/112 ... ok 23/113 ... ok 7/114 ... ok 7/115 ... ok 7/116 ... ok 64/118 ... ok 53/120 ... ok 4/121 ... ok 4/122 ... ok 22/123 ... ok 53/124 ... ok 22/126 ... ok 23/130 ... ok 4/132 ... ok 64/133 ... ok 4/134 ... ok 4/135 ... ok 22/136 ... ok 4/137 ... ok 62/138 ... ok 53/139 ... ok 53/140 ... ok 19/141 ... ok 51/142 ... ok 53/144 ... ok 53/145 ... ok 22/146 ... ok 22/147 ... ok 53/148 ... ok 53/149 ... ok 53/150 ... ok 53/151 ... ok 53/152 ... ok 53/153 ... ok 53/154 ... ok 53/157 ... ok 53/158 ... ok 4/159 ... ok 21/160 ... ok 22/161 ... ok 10/162 ... ok 20/163 ... ok 53/164 ... ok 10/166 ... ok 7/167 ... ok 22/170 ... ok 7/172 ... ok 24/173 ... ok 7/176 ... ok 22/177 ... ok 7/179 ... ok 56/180 ... ok 22/182 ... ok 7/183 ... ok 23/186 ... repository is empty 7/188 ... ok 22/189 ... ok 22/193 ... ok 7/195 ... ok 22/196 ... ok 22/197 ... ok 22/198 ... ok 79/200 ... ok 79/201 ... repository is empty 28/202 ... ok 7/203 ... ok 22/204 ... ok 24/205 ... ok 22/207 ... ok 12/208 ... repository is empty 22/209 ... ok 56/210 ... ok 24/211 ... ok 7/213 ... ok 22/214 ... ok 4/215 ... ok 22/216 ... ok 7/217 ... ok 7/218 ... ok 65/219 ... ok 51/220 ... ok 24/221 ... ok 90/222 ... ok 24/223 ... ok 90/224 ... ok 4/225 ... ok 36/226 ... ok 56/227 ... ok 22/228 ... ok 56/229 ... ok 56/230 ... repository is empty 24/231 ... ok 7/232 ... ok 22/233 ... ok 20/234 ... ok 7/235 ... ok 24/236 ... ok 4/237 ... ok 103/238 ... ok 56/239 ... ok 56/240 ... ok 56/241 ... ok 56/242 ... ok 22/243 ... ok 28/244 ... ok 4/245 ... ok 63/246 ... ok 28/247 ... ok 37/248 ... ok 98/249 ... repository is empty 52/250 ... ok 7/251 ... ok 22/252 ... ok 4/253 ... ok 53/254 ... ok 22/255 ... ok 114/256 ... ok 103/257 ... repository is empty 23/258 ... repository is empty 51/259 ... ok 7/261 ... ok 22/262 ... ok 28/263 ... ok 4/264 ... ok 22/266 ... ok 7/267 ... ok 22/268 ... repository is empty Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Reply by email is disabled in config/gitlab.yml Checking LDAP ...
Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results)
[ --- SNIPPED : LDAP USERS LIST --- ]
Checking LDAP ... Finished
Checking GitLab ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 4/3 ... yes 4/4 ... yes 7/8 ... yes 7/9 ... yes 4/10 ... yes 9/11 ... yes 4/13 ... yes 7/14 ... yes 7/15 ... yes 23/23 ... yes 22/35 ... yes 22/36 ... yes 24/40 ... yes 7/41 ... yes 7/42 ... yes 7/43 ... yes 7/44 ... yes 37/45 ... yes 24/47 ... yes 22/49 ... yes 22/51 ... yes 48/52 ... yes 50/53 ... yes 51/54 ... yes 22/55 ... yes 22/56 ... yes 22/57 ... yes 7/58 ... yes 23/59 ... yes 7/61 ... yes 7/62 ... yes 7/64 ... yes 7/70 ... yes 56/71 ... yes 7/72 ... yes 61/73 ... yes 61/74 ... yes 61/75 ... yes 61/76 ... yes 51/77 ... yes 7/78 ... yes 7/79 ... yes 7/81 ... yes 7/82 ... yes 7/83 ... yes 7/84 ... yes 7/85 ... yes 7/86 ... yes 7/87 ... yes 7/88 ... yes 7/89 ... yes 7/90 ... yes 7/91 ... yes 37/92 ... yes 7/93 ... yes 22/94 ... yes 22/95 ... yes 7/96 ... yes 7/97 ... yes 7/98 ... yes 7/99 ... yes 7/100 ... yes 7/101 ... yes 7/102 ... yes 7/103 ... yes 7/104 ... yes 53/105 ... yes 22/108 ... yes 56/109 ... yes 53/110 ... yes 22/111 ... yes 56/112 ... yes 23/113 ... yes 7/114 ... yes 7/115 ... yes 7/116 ... yes 64/118 ... yes 53/120 ... yes 4/121 ... yes 4/122 ... yes 22/123 ... yes 53/124 ... yes 22/126 ... yes 23/130 ... yes 4/132 ... yes 64/133 ... yes 4/134 ... yes 4/135 ... yes 22/136 ... yes 4/137 ... yes 62/138 ... yes 53/139 ... yes 53/140 ... yes 19/141 ... yes 51/142 ... yes 53/144 ... yes 53/145 ... yes 22/146 ... yes 22/147 ... yes 53/148 ... yes 53/149 ... yes 53/150 ... yes 53/151 ... yes 53/152 ... yes 53/153 ... yes 53/154 ... yes 53/157 ... yes 53/158 ... yes 4/159 ... yes 21/160 ... yes 22/161 ... yes 10/162 ... yes 20/163 ... yes 53/164 ... yes 10/166 ... yes 7/167 ... yes 22/170 ... yes 7/172 ... yes 24/173 ... yes 7/176 ... yes 22/177 ... yes 7/179 ... yes 56/180 ... yes 22/182 ... yes 7/183 ... yes 23/186 ... yes 7/188 ... yes 22/189 ... yes 22/193 ... yes 7/195 ... yes 22/196 ... yes 22/197 ... yes 22/198 ... yes 79/200 ... yes 79/201 ... yes 28/202 ... yes 7/203 ... yes 22/204 ... yes 24/205 ... yes 22/207 ... yes 12/208 ... yes 22/209 ... yes 56/210 ... yes 24/211 ... yes 7/213 ... yes 22/214 ... yes 4/215 ... yes 22/216 ... yes 7/217 ... yes 7/218 ... yes 65/219 ... yes 51/220 ... yes 24/221 ... yes 90/222 ... yes 24/223 ... yes 90/224 ... yes 4/225 ... yes 36/226 ... yes 56/227 ... yes 22/228 ... yes 56/229 ... yes 56/230 ... yes 24/231 ... yes 7/232 ... yes 22/233 ... yes 20/234 ... yes 7/235 ... yes 24/236 ... yes 4/237 ... yes 103/238 ... yes 56/239 ... yes 56/240 ... yes 56/241 ... yes 56/242 ... yes 22/243 ... yes 28/244 ... yes 4/245 ... yes 63/246 ... yes 28/247 ... yes 37/248 ... yes 98/249 ... yes 52/250 ... yes 7/251 ... yes 22/252 ... yes 4/253 ... yes 53/254 ... yes 22/255 ... yes 114/256 ... yes 103/257 ... yes 23/258 ... yes 51/259 ... yes 7/261 ... yes 22/262 ... yes 28/263 ... yes 4/264 ... yes 22/266 ... yes 7/267 ... yes 22/268 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.3.6) Git version >= 2.9.5 ? ... yes (2.14.3) Git user has default SSH configuration? ... no Try fixing it: mkdir ~/gitlab-check-backup-1528208876 sudo mv /var/opt/gitlab/.ssh/id_rsa ~/gitlab-check-backup-1528208876 sudo mv /var/opt/gitlab/.ssh/id_rsa.pub ~/gitlab-check-backup-1528208876 For more information see: doc/ssh/README.md in section "SSH on the GitLab server" Please fix the error above and rerun the checks. Active users: ... 71 Elasticsearch version 5.1 - 5.5? ... skipped (elasticsearch is disabled)
Checking GitLab ... Finished