Wrong access level in api/v4/projects/:id/members/all
Summary
API endpoint api/v4/projects/:id/members/all
delivers wrong access level for users which got access by sharing with group.
This access level is not limited my Max access level
.
Steps to reproduce
Share a project with a group and limit access level of this sharing to Developer
.
Many new owners and maintainers are listed via API.
Example Project
Following project has only one member (myself) and is shared with group siemens
limiting to developer access level.
Getting all members via api shows many members with access level maintainer and owner.
https://gitlab.com/api/v4/projects/12762042/members/all
What is the current bug behavior?
User access level provided via API is not limited by configured Max access level
.
What is the expected correct behavior?
User access level provided via API should be limited by configured Max access level
.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Possible fixes
The queries are rather complicated after last update by !24005 (merged), so I don't exactly know how, but it's in the code touched by that MR. I have also tested in GDK that mentioned MR did not fix this problem...
/cc @jacopo-beschi
duplicate of https://gitlab.com/gitlab-org/gitlab-ce/issues/62284