Conflict between project's permission settings description and actual permissions
Summary
The permissions settings of a project don't seem to reflect actual permissions.
Steps to reproduce
Create a project with the permissions settings as described below, an unprotected branch with some dummy file, create a user that is not external and not a member of said project. Login with the user, find the project, try to edit the file (e.g. through the web UI).
What is the current bug behavior?
On a self-hosted gitlab-ce 10.0.3, when looking at a project's Settings -> General -> Permissions, having project visibility internal and having Repository enabled and set to "Everyone with access", cf. picture,
a user that is not a member of the project or the group containing the project, and is not an external user, is able to see the project, but is not able to edit files.
This seems paradoxical to "Everyone with access" can view and edit the repository. There effectively seems to be no difference between "Everyone with access", and "Only project members".
NB: When changing the repository setting to "Only project members", the non-member user is no longer able to view the files (or edit them).
What is the expected correct behavior?
With the above settings and user, one should be able to view & edit code in the repository.
Possible fixes
Original proposal
I'm admittedly, like, super confused by the permissions and roles and settings and whatnot.I actually like the behaviour that is experienced, i.e. the "Repository - view and edit files in this project" only controls read access, and write access is reserved for members (at least under assumptions of the described state, haven't tested for example with other project visibility settings).
It lets me grant read access to non members without giving them write access.
Hence I suggest changing the setting text to "Repository - view files in this project".
Change the repository help text when "internal" or "public" is selected as the project's visibility setting:
View and edit files in this project. Non-project members will only have read access.
I think issues gitlab-ce#27952 and gitlab-ce#23038 are related.