Pipeline API Status Update permission regression

Summary

Prior versions of GitLab allowed calls to the Pipeline API to update a commit's status while only requiring the Developer permission.

At some point recently (during the 12.8 release cycle, as far as I can tell) it appears that the Pipeline API now requires Maintainer access - requiring a much more privileged account to update build information on all built commits. This is an undocumented change and, being backwards-incompatible, an API breakage.

This change was introduced in this commit.

This also appears to affect anyone using GitLab in conjunction with the GitLab Plugin for Jenkins, wherein Jenkins is able to update commits with build information.

Steps to reproduce

Using access credentials tied to a user with the Developer role, attempt to send a POST request to update a commit's build status per the following API:

https://docs.gitlab.com/ee/api/commits.html#post-the-build-status-to-a-commit

e.g. POST /api/v4/projects/katana/TreeResolver/statuses/f1c35fef86bb22a8d067d94636f649e0cc955332

An HTTP 403 will be returned by GitLab if the user is not a Maintainer and the branch is protected.

Example Project

No example project is available for this behavior.

What is the current bug behavior?

An HTTP 403 is returned by GitLab if the user is not a Maintainer or a branch that the commit exists on is protected when calling the POST /projects/:id/statuses/:sha API endpoint.

What is the expected correct behavior?

Prior behavior, wherein if the user must be authenticated and possesses a minimum of Developer access to the project, the POST request to the POST /projects/:id/statuses/:sha API should succeed with a 200 and update the commit build status.

Relevant logs and/or screenshots

Note: I'm running GitLab via the Docker image reference gitlab/gitlab-ce:latest, currently running 12.9.1 with an update scheduled to occur tonight.

==> /var/log/gitlab/nginx/gitlab_access.log <==
[REDACTED] - - [18/Mar/2020:16:18:39 +0000] "GET /api/v4/projects/katana%2FTreeResolver/repository/commits/f1c35fef86bb22a8d067d94636f649e0cc955332 HTTP/1.1" 200 878 "" "-"
[REDACTED] - - [18/Mar/2020:16:18:39 +0000] "POST /api/v4/projects/katana%2FTreeResolver/statuses/f1c35fef86bb22a8d067d94636f649e0cc955332 HTTP/1.1" 403 27 "" "-"
[REDACTED] - - [18/Mar/2020:16:18:39 +0000] "GET /api/v4/projects/katana%2FTreeResolver/repository/commits/f1c35fef86bb22a8d067d94636f649e0cc955332 HTTP/1.1" 200 878 "" "-"
[REDACTED] - - [18/Mar/2020:16:18:39 +0000] "POST /api/v4/projects/katana%2FTreeResolver/statuses/f1c35fef86bb22a8d067d94636f649e0cc955332 HTTP/1.1" 403 27 "" "-"

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...


Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 12.0.0 ? ... OK (12.0.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab App ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
2/1 ... yes
5/2 ... yes
5/3 ... yes
5/4 ... yes
2/5 ... yes
6/6 ... yes
10/7 ... yes
10/8 ... yes
7/9 ... yes
13/10 ... yes
7/11 ... yes
13/12 ... yes
7/13 ... yes
13/14 ... yes
6/15 ... yes
6/16 ... yes
6/17 ... yes
13/18 ... yes
2/19 ... yes
7/23 ... yes
7/24 ... yes
9/25 ... yes
9/26 ... yes
9/27 ... yes
9/28 ... yes
7/29 ... yes
8/30 ... yes
6/31 ... yes
7/32 ... yes
9/33 ... yes
7/35 ... yes
7/36 ... yes
7/37 ... yes
11/38 ... yes
6/39 ... yes
6/40 ... yes
6/41 ... yes
12/42 ... yes
12/43 ... yes
12/44 ... yes
14/45 ... yes
6/46 ... yes
12/47 ... yes
3/48 ... yes
11/49 ... yes
7/50 ... yes
11/51 ... yes
11/52 ... yes
11/53 ... yes
16/54 ... yes
2/56 ... yes
16/57 ... yes
16/58 ... yes
2/59 ... yes
18/60 ... yes
12/61 ... yes
16/63 ... yes
12/64 ... yes
18/65 ... yes
18/66 ... yes
18/67 ... yes
18/68 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.5.3 ? ... yes (2.6.5)
Git version >= 2.22.0 ? ... yes (2.24.1)
Git user has default SSH configuration? ... yes
Active users: ... 5
Is authorized keys file accessible? ... yes


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished

Possible fixes

Reverting the following commit: 5f63ef2b

Edited by katana