inherited member of a project cannot be speciffically allowed to push to a protected branch

Summary

Push and merge access to a protected branch can be restricted per user. This feature does not work if the user is inherited, that is to say if it has been added to the project because of its group membership.

Steps to reproduce

• Using the user myuser, create a group mygroup.
• Create a project myproject belonging to mygroup, and commit and push a file.
• Change the access level to master branch: allow the role No one and the user myuser to push.
• The push access level has not been updated.

What is the current bug behavior?

The push access level to the master branch are not updated as the user myuser is not added to the policy.

Using the UI, no error can be seen but if you reload the Settings/Repository page, the user myuser has disappeared from the push access level.

Using the API, an error is raised:

curl --request POST --header "PRIVATE-TOKEN: XXX" --data '{"name":"master", "allowed_to_push": [{"access_level": 0}, {"user_id": 70}] }' -H "Content-Type: application/json" 'http://gitlab.mydomain.com/api/v4/projects/YYY/protected_branches'

{"message":["Push access levels user is not a member of the project"]}%

Only the direct members of a project can be used in the push and merge access levels of protected branches.

What is the expected correct behavior?

One should be able to restrict push and merge access to certain users, no matter whether inherited or not.

Relevant logs and/or screenshots

curl --request POST --header "PRIVATE-TOKEN: XXX" --data '{"name":"master", "allowed_to_push": [{"access_level": 0}, {"user_id": 70}] }' -H "Content-Type: application/json" 'http://gitlab.mydomain.com/api/v4/projects/XXX/protected_branches'

{"message":["Push access levels user is not a member of the project"]}%

curl --request POST --header "PRIVATE-TOKEN: XXX" 'http://gitlab.mydomain.com/api/v4/projects/YYY/protected_branches?name=master&push_acces_level=0&allowed_to_push%5B%5D%5Buser_id%5D=70'

{"message":["Push access levels user is not a member of the project"]}

Results of GitLab environment info

Expand for output related to GitLab environment info

System information
System:		Debian 9.9
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	2.5.3p105
Gem Version:	2.7.6
Bundler Version:1.16.6
Rake Version:	12.3.2
Redis Version:	3.2.12
Git Version:	2.18.1
Sidekiq Version:5.2.3
Go Version:	unknown

GitLab information
Version:	11.7.4-ee
Revision:	3a39cd4
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	postgresql
DB Version:	9.6.11
URL:		http://gitlab.mydomain.com
HTTP Clone URL:	http://gitlab.mydomain.com/some-group/some-project.git
SSH Clone URL:	git@gitlab.mydomain.com:some-group/some-project.git
Elasticsearch:	yes
Geo:		no
Using LDAP:	yes
Using Omniauth:	yes
Omniauth Providers: 

GitLab Shell
Version:	8.4.4
Repository storage paths:
- default: 	/var/opt/gitlab/git-data/repositories
Hooks:		/opt/gitlab/embedded/service/gitlab-shell/hooks
Git:		/opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking GitLab subtasks ...

Checking GitLab Shell ...

GitLab Shell: ... GitLab Shell version >= 8.4.4 ? ... OK (8.4.4)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK

Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Gitaly ...

Gitaly: ... default ... OK

Checking Gitaly ... Finished

Checking Sidekiq ...

Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

Checking Incoming Email ...

Incoming Email: ... Reply by email is disabled in config/gitlab.yml

Checking Incoming Email ... Finished

Checking LDAP ...

LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
	DN: cn=bob eponge,ou=commerciaux,ou=utilisateurs,dc=interne,dc=mydomain,dc=com	 sAMAccountName: bob.eponge
	
Checking LDAP ... Finished

Checking GitLab App ...

Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... no
  Try fixing it:
  sudo chown -R git /var/opt/gitlab/gitlab-rails/uploads
  sudo find /var/opt/gitlab/gitlab-rails/uploads -type f -exec chmod 0644 {} \;
  sudo find /var/opt/gitlab/gitlab-rails/uploads -type d -not -path /var/opt/gitlab/gitlab-rails/uploads -exec chmod 0700 {} \;
  For more information see:
  doc/install/installation.md in section "GitLab"
  Please fix the error above and rerun the checks.
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ... 
3/1 ... yes
3/442 ... yes
3/443 ... yes
3/444 ... yes
47/445 ... yes
6/448 ... yes
8/450 ... yes
8/451 ... yes
8/452 ... yes
8/455 ... yes
8/457 ... yes
8/458 ... yes
8/459 ... yes
9/461 ... yes
10/462 ... yes
5/463 ... yes
4/465 ... yes
4/466 ... yes
47/467 ... yes
47/468 ... yes
4/469 ... yes
4/470 ... yes
4/471 ... yes
4/472 ... yes
4/473 ... yes
4/474 ... yes
4/476 ... yes
47/477 ... yes
4/478 ... yes
47/479 ... yes
4/480 ... yes
4/481 ... yes
47/482 ... yes
4/483 ... yes
4/484 ... yes
4/485 ... yes
47/486 ... yes
4/487 ... yes
4/488 ... yes
4/489 ... yes
47/490 ... yes
47/491 ... yes
4/493 ... yes
4/494 ... yes
4/495 ... yes
4/496 ... yes
4/497 ... yes
47/498 ... yes
47/499 ... yes
4/500 ... yes
4/501 ... yes
47/503 ... yes
4/504 ... yes
4/505 ... yes
4/506 ... yes
4/507 ... yes
4/508 ... yes
4/509 ... yes
4/510 ... yes
47/511 ... yes
47/512 ... yes
4/513 ... yes
4/514 ... yes
47/515 ... yes
4/517 ... yes
47/518 ... yes
47/519 ... yes
47/520 ... yes
47/521 ... yes
4/522 ... yes
4/523 ... yes
4/524 ... yes
4/525 ... yes
47/526 ... yes
4/527 ... yes
47/528 ... yes
47/529 ... yes
4/530 ... yes
4/531 ... yes
47/532 ... yes
4/534 ... yes
4/535 ... yes
47/536 ... yes
47/537 ... yes
4/538 ... yes
4/539 ... yes
47/540 ... yes
4/541 ... yes
47/542 ... yes
4/543 ... yes
4/544 ... yes
47/545 ... yes
47/546 ... yes
4/547 ... yes
47/548 ... yes
47/549 ... yes
47/550 ... yes
47/551 ... yes
4/552 ... yes
4/553 ... yes
4/554 ... yes
4/555 ... yes
47/556 ... yes
47/557 ... yes
47/558 ... yes
47/559 ... yes
47/560 ... yes
4/561 ... yes
47/562 ... yes
47/563 ... yes
47/564 ... yes
47/565 ... yes
66/566 ... yes
47/567 ... yes
4/568 ... yes
47/569 ... yes
47/570 ... yes
4/571 ... yes
47/572 ... yes
4/574 ... yes
4/575 ... yes
47/576 ... yes
4/577 ... yes
4/578 ... yes
4/580 ... yes
47/581 ... yes
4/583 ... yes
47/584 ... yes
4/585 ... yes
4/586 ... yes
47/587 ... yes
4/588 ... yes
4/589 ... yes
4/590 ... yes
4/591 ... yes
47/592 ... yes
4/593 ... yes
4/594 ... yes
4/595 ... yes
4/596 ... yes
4/597 ... yes
4/598 ... yes
47/599 ... yes
47/600 ... yes
4/601 ... yes
47/602 ... yes
47/603 ... yes
4/604 ... yes
47/605 ... yes
4/606 ... yes
4/607 ... yes
4/608 ... yes
4/610 ... yes
4/611 ... yes
47/612 ... yes
47/613 ... yes
4/615 ... yes
47/616 ... yes
47/617 ... yes
47/618 ... yes
4/619 ... yes
4/620 ... yes
47/628 ... yes
1/629 ... yes
4/639 ... yes
4/640 ... yes
4/641 ... yes
4/644 ... yes
4/645 ... yes
15/647 ... yes
47/648 ... yes
4/650 ... yes
47/653 ... yes
47/657 ... yes
4/658 ... yes
4/659 ... yes
8/660 ... yes
47/661 ... yes
4/662 ... yes
4/663 ... yes
4/664 ... yes
4/666 ... yes
4/667 ... yes
4/670 ... yes
4/672 ... yes
4/673 ... yes
47/674 ... yes
47/675 ... yes
6/676 ... yes
6/677 ... yes
6/678 ... yes
4/679 ... yes
6/680 ... yes
4/681 ... yes
4/683 ... yes
4/684 ... yes
4/685 ... yes
4/686 ... yes
16/687 ... yes
47/688 ... yes
6/689 ... yes
47/690 ... yes
66/691 ... yes
4/692 ... yes
8/693 ... yes
4/694 ... yes
6/695 ... yes
6/696 ... yes
4/697 ... yes
8/698 ... yes
4/699 ... yes
47/700 ... yes
64/702 ... yes
64/703 ... yes
4/704 ... yes
47/705 ... yes
6/706 ... yes
4/707 ... yes
6/708 ... yes
4/709 ... yes
4/716 ... yes
4/717 ... yes
6/719 ... yes
4/720 ... yes
4/721 ... yes
4/722 ... yes
4/728 ... yes
10/730 ... yes
6/731 ... yes
6/732 ... yes
8/733 ... yes
4/734 ... yes
6/735 ... yes
6/736 ... yes
6/737 ... yes
4/738 ... yes
72/739 ... yes
4/740 ... yes
6/741 ... yes
4/742 ... yes
4/743 ... yes
4/744 ... yes
4/747 ... yes
4/748 ... yes
6/749 ... yes
6/750 ... yes
4/751 ... yes
4/752 ... yes
6/753 ... yes
8/754 ... yes
8/755 ... yes
47/758 ... yes
4/759 ... yes
4/760 ... yes
72/761 ... yes
4/764 ... yes
4/765 ... yes
8/768 ... yes
4/773 ... yes
16/775 ... yes
16/776 ... yes
16/777 ... yes
16/778 ... yes
16/779 ... yes
8/780 ... yes
4/781 ... yes
8/783 ... yes
47/787 ... yes
47/788 ... yes
8/789 ... yes
4/790 ... yes
4/791 ... yes
4/792 ... yes
4/793 ... yes
4/794 ... yes
4/795 ... yes
4/796 ... yes
8/797 ... yes
47/798 ... yes
8/800 ... yes
6/801 ... yes
4/802 ... yes
47/803 ... yes
4/804 ... yes
17/806 ... yes
10/807 ... yes
4/808 ... yes
4/810 ... yes
4/812 ... yes
4/813 ... yes
4/814 ... yes
24/815 ... yes
4/816 ... yes
17/817 ... yes
6/818 ... yes
4/819 ... yes
8/820 ... yes
4/821 ... yes
6/822 ... yes
4/823 ... yes
4/824 ... yes
6/825 ... yes
8/826 ... yes
4/827 ... yes
85/828 ... yes
85/829 ... yes
85/830 ... yes
85/831 ... yes
24/833 ... yes
85/834 ... yes
85/835 ... yes
85/836 ... yes
85/837 ... yes
85/838 ... yes
4/839 ... yes
4/841 ... yes
85/842 ... yes
86/844 ... yes
86/845 ... yes
86/846 ... yes
86/847 ... yes
86/849 ... yes
45/850 ... yes
8/851 ... yes
4/852 ... yes
8/853 ... yes
86/854 ... yes
86/856 ... yes
86/858 ... yes
86/859 ... yes
86/860 ... yes
4/861 ... yes
93/863 ... yes
49/865 ... yes
86/866 ... yes
8/867 ... yes
86/869 ... yes
86/870 ... yes
86/871 ... yes
86/872 ... yes
6/874 ... yes
6/876 ... yes
6/878 ... yes
6/879 ... yes
101/880 ... yes
101/881 ... yes
86/882 ... yes
86/883 ... yes
86/884 ... yes
4/885 ... yes
4/886 ... yes
106/888 ... yes
9/889 ... yes
10/891 ... yes
106/892 ... yes
4/893 ... yes
14/894 ... yes
9/895 ... yes
109/896 ... yes
10/897 ... yes
8/898 ... yes
4/899 ... yes
86/900 ... yes
86/903 ... yes
86/904 ... yes
4/906 ... yes
86/907 ... yes
111/908 ... yes
86/909 ... yes
111/910 ... yes
111/911 ... yes
111/912 ... yes
111/913 ... yes
111/914 ... yes
111/915 ... yes
111/916 ... yes
111/917 ... yes
111/918 ... yes
111/919 ... yes
111/920 ... yes
111/921 ... yes
111/922 ... yes
111/923 ... yes
111/924 ... yes
111/925 ... yes
111/926 ... yes
4/927 ... yes
4/928 ... yes
111/929 ... yes
111/930 ... yes
4/931 ... yes
86/932 ... yes
111/933 ... yes
111/934 ... yes
45/935 ... yes
4/936 ... yes
86/937 ... yes
5/938 ... yes
4/939 ... yes
4/940 ... yes
4/941 ... yes
4/943 ... yes
115/944 ... yes
115/945 ... yes
111/946 ... yes
8/947 ... yes
111/948 ... yes
111/949 ... yes
111/950 ... yes
121/953 ... yes
120/954 ... yes
120/955 ... yes
8/957 ... yes
113/958 ... yes
121/959 ... yes
120/960 ... yes
4/961 ... yes
4/962 ... yes
10/963 ... yes
111/964 ... yes
111/966 ... yes
111/967 ... yes
86/968 ... yes
4/969 ... yes
4/970 ... yes
4/971 ... yes
4/972 ... yes
111/973 ... yes
126/974 ... yes
111/975 ... yes
122/976 ... yes
121/977 ... yes
4/978 ... yes
128/979 ... yes
101/980 ... yes
4/982 ... yes
115/983 ... yes
101/986 ... yes
111/987 ... yes
47/988 ... yes
10/990 ... yes
86/991 ... yes
86/992 ... yes
4/993 ... yes
4/994 ... yes
111/995 ... yes
4/996 ... yes
4/997 ... yes
86/998 ... yes
86/999 ... yes
12/1001 ... yes
130/1004 ... yes
111/1005 ... yes
127/1006 ... yes
101/1009 ... yes
84/1010 ... yes
24/1011 ... yes
8/1012 ... yes
4/1013 ... yes
4/1015 ... yes
8/1016 ... yes
10/1018 ... yes
84/1019 ... yes
111/1020 ... yes
130/1022 ... yes
24/1023 ... yes
142/1026 ... yes
134/1027 ... yes
121/1029 ... yes
138/1032 ... yes
121/1033 ... yes
116/1034 ... yes
121/1035 ... yes
111/1036 ... yes
4/1038 ... yes
4/1039 ... yes
121/1040 ... yes
4/1041 ... yes
115/1042 ... yes
111/1043 ... yes
111/1044 ... yes
111/1045 ... yes
111/1046 ... yes
101/1047 ... yes
4/1048 ... yes
5/1049 ... yes
4/1050 ... yes
12/1051 ... yes
145/1052 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.5.3)
Git version >= 2.18.0 ? ... yes (2.18.1)
Git user has default SSH configuration? ... no
  Try fixing it:
  mkdir ~/gitlab-check-backup-1561382013
  sudo mv /var/opt/gitlab/.ssh/id_rsa.pub ~/gitlab-check-backup-1561382013
  sudo mv /var/opt/gitlab/.ssh/id_rsa ~/gitlab-check-backup-1561382013
  For more information see:
  doc/ssh/README.md in section "SSH on the GitLab server"
  Please fix the error above and rerun the checks.
Active users: ... 48
Elasticsearch version 5.6 - 6.x? ... yes (6.6.0)

Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished