ESCALATED: Projects are allowed to add members with different domain email address despite restricting in group settings

HackerOne report #679567 by ashish_r_padelkar on 2019-08-22, assigned to gitlab_cmaxim:

Summary

Hello,

In new feature https://gitlab.com/help/user/group/index#allowed-domain-restriction-premium-only , it is mentioned that You can restrict access to groups and their underlying projects by allowing only users with email addresses in particular domains to be added to the group

However, this restriction only works at group level and not projects underneath it.

Steps to reproduce

1. Go to group settings at /-/edit#js-permissions-settings and put gitlab.com under Restrict membership by email.

2. Now try to add members at group membership with different email and it wont allow you to do.

3. Now as a maintainer ,go to projects underneath it and add the email with different domain and it will successfully adds the member.

What is the current bug behavior?

Allows adding email of different domains at project level despite setting it to group level

What is the expected correct behavior?

The settings should be applied at all levels as per documentation.

Output of checks

This bug happens on GitLab.com and probably on omnibus installations too

Regards,
Ashish

Impact

Allows adding members with different domain email addresses at project level despite group level settings.