Skip to content

Invalid group/subgroup names e.g. 'api/v4'

Summary

Users are able to create (sub)groups with names like "api/v4". Those groupnames are not valid due to a conflict with the API/URL.

Steps to reproduce

Create a group named "api". Create a subgroup named "api/v4".

What is the current bug behavior?

Gitlab does create a group called "api".

What is the expected correct behavior?

Gitlab should deny groups and usernames with the name "api" or whatever leads into a url like "https://gitlabserver/api".

Gitlab-Version

9.0.2