Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #14004
Closed
Open
Issue created Aug 28, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

ESCALATED: Projects are allowed to add members with different domain email address despite restricting in group settings

HackerOne report #679567 by ashish_r_padelkar on 2019-08-22, assigned to gitlab_cmaxim:

Summary

Hello,

In new feature https://gitlab.com/help/user/group/index#allowed-domain-restriction-premium-only , it is mentioned that You can restrict access to groups and their underlying projects by allowing only users with email addresses in particular domains to be added to the group

However, this restriction only works at group level and not projects underneath it.

Steps to reproduce

  1. Go to group settings at /-/edit#js-permissions-settings and put gitlab.com under Restrict membership by email.

  2. Now try to add members at group membership with different email and it wont allow you to do.

  3. Now as a maintainer ,go to projects underneath it and add the email with different domain and it will successfully adds the member.

What is the current bug behavior?

Allows adding email of different domains at project level despite setting it to group level

What is the expected correct behavior?

The settings should be applied at all levels as per documentation.

Output of checks

This bug happens on GitLab.com and probably on omnibus installations too

Regards,
Ashish

Impact

Allows adding members with different domain email addresses at project level despite group level settings.

Edited Dec 06, 2019 by GitLab SecurityBot
Assignee
Assign to
Time tracking