API v4 PUT and DELETE broken on project/group labels with same name
Summary
API v4 PUT and DELETE requests to a project or group label only uses the name
field to pick the label, but a single project reports as its labels both project label and group labels which may have the same name.
This mixes up project and group labels with the same name, allowed in GitLab UI, preventing the reliable update or deletion of project labels when a group label with the same name exists.
Steps to reproduce
For a group group
with a project project
, create one group label with name demolabel
(assume id=1), then create a project label in group/project
with the same label name demolabel
(assume id=2).
Both labels should be seen in the project label list in Gitlab UI or can be retrieved using the appropriate API v4 GET request. They have different id
s and different is_project_label
field values. Now update or remove the project label using the API v4:
curl --request PUT --data "id=2&name=demolabel&color=#000000" --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/group%2Fproject/labels"
curl --request DELETE --data "id=2&name=demolabel" --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/group%2Fproject/labels"
What is the current bug behavior?
In both cases, actions are performed over the group label (id=1) and not the project label. As a result, existing duplicated project labels cannot be removed if a group label with the same name exists. It seems that in this case the API picks the label with the lowest id
.
What is the expected correct behavior?
API v4 should allow the use of the label id
field for both actions (PUT and DELETE), and use it to pick the right label without ambiguity.
Having a group and a project label with the same name as targets for these operations should trigger an error or, alternatively, drive the update/delete process of all matching labels.
Possible fixes
One possible solution is to make label id
and optional parameter for PUT and DELETE requests.
This has no impact on current API use for third parties. PUT and DELETE request should fail if more than one label has the same name in case the id
is not specified.
This has impact on lib/api/labels.rb
and lib/api/group_labels.rb
for the specification of required and optional parameters and lib/api/helpers/label_helpers.rb
for the logic.