Groups Problems
Summary
This is happening under my account on gitlab.com.
An additional group NOT assigned to user shows up on his user page: https://gitlab.com/users/hisusername/groups
when I look at it
Correct group assigned to user shows up on his user page: https://gitlab.com/users/hisusername/groups
when HE looks at it
User sees choice for group he's not assigned to under "Profile Settings" select "Notifications"
He cannot see his merge request page anymore
Seems like there is some group "leakage" issues. Could be some bad security holes.
Steps to reproduce
Create three groups as owner: A, B and C. Assign a different user (as Developer) to group A and NOT B and C. Wait some time (in our case months) and add him to group B, take him off group A.
Expected behavior
In no way should his profile page say he's a member of group A (to me the owner of group A), while from his POV, he's only in Group B. In no way should he be able to filter notification for group C under his "Profile Settings" select "Notifications".
Actual behavior
I see his profile page saying he's a member of group A and B, but under group A, he's not listed as a member. From his POV, he's only in Group B on his profile page. He is able to filter notification for groups B and C under his "Profile Settings" select "Notifications". He is not a member of group C and should have no idea it even exists!
Relevant logs and/or screenshots
I don't want to paste sensitive info here.
Output of checks
Results of GitLab application Check
I cannot run this on gitlab.com.
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)
(we will only investigate if the tests are passing)
Results of GitLab environment info
I cannot run this on gitlab.com.
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
)
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)