Administrators can only run pipes on projects that they are members

Summary

As an administrator user I can see and edit any project that I want. But if I try to run a gitrunner of a project that I am not in (as group or member), the git runner gives a very generic "fatal: unable to access" error in the console.

Steps to reproduce

1- Change your user to Administrator 2- Exit Project A (by no longer being a member of it) 3- Run any git-runner pipeline of the Project A 4- The console it is going to give you a "fatal: unable to access"

What is the current bug behavior?

When you are a administrator you can access any project, but if you are not a member of the project it is going to give you this error when trying to run a pipeline.

What is the expected correct behavior?

As a administrator you should be able to build/run pipes of any project because you can actually have access to any project.

Relevant logs and/or screenshots

The error in the pipeline console is:

Running with gitlab-runner 11.1.0 (a81908a7)
  on gitlab-runner-scs b4bc47e7
Using Shell executor...
Running on gitlab...
Cloning repository...
Cloning into '/home/gitlab-runner/builds/b4bc47e7/0/yyy/xxx'...
remote: You are not allowed to download code from this project.
fatal: unable to access 'http://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@gitlab.xyz.com.br/yyy/xxx.git/': The requested URL returned error: 403
ERROR: Job failed: exit status 1

Output of checks

This bug happens in the Gitlab EE

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information
System:		Ubuntu 14.04
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	2.4.4p296
Gem Version:	2.7.6
Bundler Version:1.16.2
Rake Version:	12.3.1
Redis Version:	3.2.11
Git Version:	2.17.1
Sidekiq Version:5.1.3
Go Version:	unknown


GitLab information
Version:	11.1.4-ee
Revision:	d17962f
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	postgresql
DB Version:	9.6.8
URL:		http://xxxxxxxxxx
HTTP Clone URL:	http://xxxxxxxxxx/some-group/some-project.git
SSH Clone URL:	git@xxxxxxxxxx:some-group/some-project.git
Elasticsearch:	no
Geo:		no
Using LDAP:	no
Using Omniauth:	no


GitLab Shell
Version:	7.1.4
Repository storage paths:
  • default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab Shell ...


GitLab Shell version >= 7.1.4 ? ... OK (7.1.4)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:root, or git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
2/5 ... ok
2/6 ... ok
2/7 ... ok
14/8 ... repository is empty
2/9 ... ok
16/10 ... repository is empty
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK


Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Sidekiq ...


Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Reply by email is disabled in config/gitlab.yml
Checking LDAP ...


LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
2/5 ... yes
2/6 ... yes
2/7 ... yes
14/8 ... yes
2/9 ... yes
16/10 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.4.4)
Git version >= 2.9.5 ? ... yes (2.17.1)
Git user has default SSH configuration? ... yes
Active users: ... 9
Elasticsearch version 5.1 - 5.5? ... skipped (elasticsearch is disabled)


Checking GitLab ... Finished

Possible fixes

I think it's related to the permission of the user when fetching the repository. It seems that gitlab only looks at the member-level project, and does not look if the user is an administrator or not.