ESCALATED: Projects are allowed to add members with different domain email address despite restricting in group settings
HackerOne report #679567 by
ashish_r_padelkar on 2019-08-22, assigned to
In new feature
https://gitlab.com/help/user/group/index#allowed-domain-restriction-premium-only , it is mentioned that
You can restrict access to groups and their underlying projects by allowing only users with email addresses in particular domains to be added to the group
However, this restriction only works at group level and not projects underneath it.
Steps to reproduce
Go to group settings at
Restrict membership by email.
Now try to add members at group membership with different email and it wont allow you to do.
Now as a maintainer ,go to projects underneath it and add the email with different domain and it will successfully adds the member.
What is the current bug behavior?
Allows adding email of different domains at project level despite setting it to group level
What is the expected correct behavior?
The settings should be applied at all levels as per documentation.
Output of checks
This bug happens on GitLab.com and probably on omnibus installations too
Allows adding members with different domain email addresses at project level despite group level settings.