Adding group to members of a group results in incorrect permissions
Summary
There are two related problems observed:
- Despite being a member of a shared group, member shows up with incorrect/lower permission in the member list.
- The effective role permission seems to take effect for projects within the group, but not the group itself. That is, if a member should have 'maintainer' due to shared groups, they are unable to create a project in the group, but they do have maintainer permission on projects within the group.
Steps to reproduce
- Create a group (eg.
Fake Company/RBAC/Maintainers
) - Add some users to the
Maintainers
group - Create another group (eg.
Fake Company/Fake Team
) - Add the
Maintainers
group to the members ofFake Team
with "Maintainer" permissions - Users in the
Maintainers
group will not be able to create projects or sub-groups
Example Project
(If possible, please create an example project here on GitLab.com that exhibits the problematic behavior, and link to it here in the bug report)
(If you are using an older version of GitLab, this will also determine whether the bug is fixed in a more recent version)
What is the current bug behavior?
Permissions gained through group membership take effect in all sub-groups and projects, but not within the group itself that the permissions were applied too.
What is the expected correct behavior?
Permissions should take effect at the top-level group AND below.
Also ideally, the user member list should update to reflect these higher permissions (to remove the inconsistency).
Relevant logs and/or screenshots
Output of checks
GitLab environment info
GitLab.com
Possible fixes
/cc @dblessing @ifarkas