Wrong role is granted to user when changing group member role
Summary
We've got strange and dangerous bug on our omnibus 8.15.4 gitlab instance. When changing a role for group member the user is granted role from previous role change instead of current one.
Steps to reproduce and actual behavior
- Add a project member with Master role.
The user receives notification e-mail that "You have been granted Master access to the groupname group.".
Everything is OK for now. - On the group member tab change user role to Developer.
The user receives notification e-mail that "You have been granted Master access to the groupname group.".
On the group member tab user role is shown as a Developer now, but user still have all Master role privileges. - On the group member tab change user role to Guest.
The user receives notification e-mail that "You have been granted Developer access to the groupname group.".
On the group member tab user role is shown as a Guest now, but user now have Developer role privileges. - On the group member tab change user role to Reporter.
The user receives notification e-mail that "You have been granted Guest access to the groupname group.".
On the group member tab user role is shown as a Reporter now, but user now have Guest role privileges.
Relevant logs and/or screenshots
/var/log/gitlab/gitlab-rails/production.log
for the first 2 above steps:
Started POST "/groups/testonly/group_members" for 192.168.20.241 at 2017-01-18 10:49:14 +0200
Processing by Groups::GroupMembersController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"h7eXFoShm5dI0PKTaxLOrMvwrLlJQxnOjxe8Mgy5EfW9jnVFAzop+/o4peSDQ3Im8dWcaOrsRk9x8XMpHRhhqw==", "user_ids"=>"43", "access_level"=>"40", "expires_at"=>"", "group_id"=>"testonly"}
[ActiveJob] Enqueued ActionMailer::DeliveryJob (Job ID: 51552426-a09d-48c4-9323-7fe3ff04f3cd) to Sidekiq(mailers) with arguments: "Notify", "member_access_granted_email", "deliver_now", "Group", 128
[ActiveJob] [ActionMailer::DeliveryJob] [51552426-a09d-48c4-9323-7fe3ff04f3cd] Performing ActionMailer::DeliveryJob from Sidekiq(mailers) with arguments: "Notify", "member_access_granted_email", "deliver_now", "Group", 128
[ActiveJob] [ActionMailer::DeliveryJob] [51552426-a09d-48c4-9323-7fe3ff04f3cd] Performed ActionMailer::DeliveryJob from Sidekiq(mailers) in 10.19ms
Redirected to https://git.example.ua/groups/testonly/group_members
Completed 302 Found in 76ms (ActiveRecord: 53.1ms)
Started GET "/groups/testonly/group_members" for 192.168.20.241 at 2017-01-18 10:49:14 +0200
Processing by Groups::GroupMembersController#index as HTML
Parameters: {"group_id"=>"testonly"}
Completed 200 OK in 81ms (Views: 61.2ms | ActiveRecord: 6.0ms)
Started POST "/api/v3/internal/allowed" for 127.0.0.1 at 2017-01-18 10:49:17 +0200
Started POST "/api/v3/internal/allowed" for 127.0.0.1 at 2017-01-18 10:49:20 +0200
[ActiveJob] [ActionMailer::DeliveryJob] [51552426-a09d-48c4-9323-7fe3ff04f3cd] Performing ActionMailer::DeliveryJob from Sidekiq(mailers) with arguments: "Notify", "member_access_granted_email", "deliver_now", "Group", 128
[ActiveJob] [ActionMailer::DeliveryJob] [51552426-a09d-48c4-9323-7fe3ff04f3cd]
Sent mail to slavikz@example.ua (47.3ms)
[ActiveJob] [ActionMailer::DeliveryJob] [51552426-a09d-48c4-9323-7fe3ff04f3cd] Performed ActionMailer::DeliveryJob from Sidekiq(mailers) in 62.16ms
Started GET "/users/sign_in" for 192.168.16.150 at 2017-01-18 10:49:45 +0200
Processing by SessionsController#new as */*
Completed 200 OK in 17ms (Views: 6.8ms | ActiveRecord: 1.8ms)
Started GET "/groups/testonly/group_members" for 192.168.20.241 at 2017-01-18 10:50:15 +0200
Processing by Groups::GroupMembersController#index as HTML
Parameters: {"group_id"=>"testonly"}
Completed 200 OK in 85ms (Views: 64.7ms | ActiveRecord: 7.0ms)
Started PATCH "/groups/testonly/group_members/128" for 192.168.20.241 at 2017-01-18 10:50:20 +0200
Processing by Groups::GroupMembersController#update as JS
Parameters: {"utf8"=>"✓", "group_member"=>{"access_level"=>"30", "expires_at"=>""}, "group_id"=>"testonly", "id"=>"128"}
[ActiveJob] Enqueued ActionMailer::DeliveryJob (Job ID: 5c04bc56-1b13-45ac-84b1-ad5f54ee2eae) to Sidekiq(mailers) with arguments: "Notify", "member_access_granted_email", "deliver_now", "Group", 128
[ActiveJob] [ActionMailer::DeliveryJob] [5c04bc56-1b13-45ac-84b1-ad5f54ee2eae] Performing ActionMailer::DeliveryJob from Sidekiq(mailers) with arguments: "Notify", "member_access_granted_email", "deliver_now", "Group", 128
Completed 200 OK in 41ms (Views: 2.8ms | ActiveRecord: 20.6ms)
[ActiveJob] [ActionMailer::DeliveryJob] [5c04bc56-1b13-45ac-84b1-ad5f54ee2eae]
Sent mail to slavikz@example.ua (73.1ms)
[ActiveJob] [ActionMailer::DeliveryJob] [5c04bc56-1b13-45ac-84b1-ad5f54ee2eae] Performed ActionMailer::DeliveryJob from Sidekiq(mailers) in 96.96ms
Scheduling removal of build artifacts
Results of GitLab application Check
sudo gitlab-rake gitlab:check SANITIZE=true
:
Checking GitLab Shell ...
GitLab Shell version >= 4.1.1 ? ... OK (4.1.1)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
3/3 ... ok
3/4 ... ok
3/5 ... ok
3/6 ... ok
3/7 ... ok
3/8 ... ok
3/9 ... ok
15/10 ... ok
15/11 ... ok
3/12 ... ok
3/13 ... ok
3/16 ... ok
3/17 ... ok
10/18 ... ok
21/19 ... ok
10/21 ... ok
12/22 ... ok
3/24 ... ok
3/25 ... ok
3/26 ... ok
28/27 ... ok
34/28 ... ok
33/29 ... ok
34/30 ... ok
34/34 ... ok
34/35 ... ok
34/36 ... ok
8/37 ... ok
34/38 ... ok
34/39 ... ok
34/40 ... ok
34/41 ... ok
8/42 ... ok
21/43 ... ok
26/44 ... ok
3/45 ... ok
34/47 ... ok
34/48 ... ok
34/49 ... ok
34/50 ... ok
34/51 ... ok
39/52 ... repository is empty
12/53 ... ok
34/54 ... ok
34/55 ... ok
34/56 ... ok
3/58 ... ok
3/59 ... ok
3/60 ... ok
3/61 ... ok
3/62 ... ok
3/63 ... ok
3/64 ... ok
12/65 ... ok
4/66 ... ok
33/68 ... ok
3/69 ... ok
34/70 ... ok
40/72 ... ok
34/73 ... ok
40/74 ... ok
6/75 ... ok
34/76 ... ok
2/77 ... ok
12/78 ... ok
44/80 ... ok
3/81 ... ok
3/86 ... ok
33/88 ... ok
4/89 ... ok
40/90 ... ok
34/91 ... ok
33/92 ... ok
11/93 ... ok
40/94 ... ok
40/95 ... ok
40/96 ... ok
40/97 ... ok
51/100 ... ok
33/101 ... ok
51/102 ... ok
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
Send ping to redis server: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Reply by email ...
Reply by email is disabled in config/gitlab.yml
Checking Reply by email ... Finished
Checking LDAP ...
LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab ...
Git configured with autocrlf=input? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory setup correctly? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
projects have namespace: ...
3/3 ... yes
3/4 ... yes
3/5 ... yes
3/6 ... yes
3/7 ... yes
3/8 ... yes
3/9 ... yes
15/10 ... yes
15/11 ... yes
3/12 ... yes
3/13 ... yes
3/16 ... yes
3/17 ... yes
10/18 ... yes
21/19 ... yes
10/21 ... yes
12/22 ... yes
3/24 ... yes
3/25 ... yes
3/26 ... yes
28/27 ... yes
34/28 ... yes
33/29 ... yes
34/30 ... yes
34/34 ... yes
34/35 ... yes
34/36 ... yes
8/37 ... yes
34/38 ... yes
34/39 ... yes
34/40 ... yes
34/41 ... yes
8/42 ... yes
21/43 ... yes
26/44 ... yes
3/45 ... yes
34/47 ... yes
34/48 ... yes
34/49 ... yes
34/50 ... yes
34/51 ... yes
39/52 ... yes
12/53 ... yes
34/54 ... yes
34/55 ... yes
34/56 ... yes
3/58 ... yes
3/59 ... yes
3/60 ... yes
3/61 ... yes
3/62 ... yes
3/63 ... yes
3/64 ... yes
12/65 ... yes
4/66 ... yes
33/68 ... yes
3/69 ... yes
34/70 ... yes
40/72 ... yes
34/73 ... yes
40/74 ... yes
6/75 ... yes
34/76 ... yes
2/77 ... yes
12/78 ... yes
44/80 ... yes
3/81 ... yes
3/86 ... yes
33/88 ... yes
4/89 ... yes
40/90 ... yes
34/91 ... yes
33/92 ... yes
11/93 ... yes
40/94 ... yes
40/95 ... yes
40/96 ... yes
40/97 ... yes
51/100 ... yes
33/101 ... yes
51/102 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.1.0 ? ... yes (2.3.3)
Your git bin path is "/opt/gitlab/embedded/bin/git"
Git version >= 2.7.3 ? ... yes (2.8.4)
Active users: 38
Checking GitLab ... Finished
Results of GitLab environment info
sudo gitlab-rake gitlab:env:info
System information
System:
Current User: git
Using RVM: no
Ruby Version: 2.3.3p222
Gem Version: 2.6.6
Bundler Version:1.13.7
Rake Version: 10.5.0
Sidekiq Version:4.2.7
GitLab information
Version: 8.15.4
Revision: a0b1379
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: postgresql
URL: https://git.example.ua
HTTP Clone URL: https://git.example.ua/some-group/some-project.git
SSH Clone URL: git@git.example.ua:some-group/some-project.git
Using LDAP: no
Using Omniauth: no
GitLab Shell
Version: 4.1.1
Repository storage paths:
- default: /home/git/repositories
Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks/
Git: /opt/gitlab/embedded/bin/git