ESCALATED: Projects are allowed to add members with different domain email address despite restricting in group settings
HackerOne report #679567 by ashish_r_padelkar
on 2019-08-22, assigned to gitlab_cmaxim
:
Summary
Hello,
In new feature https://gitlab.com/help/user/group/index#allowed-domain-restriction-premium-only
, it is mentioned that You can restrict access to groups and their underlying projects by allowing only users with email addresses in particular domains to be added to the group
However, this restriction only works at group level and not projects underneath it.
Steps to reproduce
-
Go to group settings at
/-/edit#js-permissions-settings
and putgitlab.com
underRestrict membership by email
. -
Now try to add members at group membership with different email and it wont allow you to do.
-
Now as a maintainer ,go to projects underneath it and add the email with different domain and it will successfully adds the member.
What is the current bug behavior?
Allows adding email of different domains at project level despite setting it to group level
What is the expected correct behavior?
The settings should be applied at all levels as per documentation.
Output of checks
This bug happens on GitLab.com and probably on omnibus installations too
Regards,
Ashish
Impact
Allows adding members with different domain email addresses at project level despite group level settings.