Revoke access to forks when a user loses access to the upstream project
Problem to solve
As the owner/maintainer of a private project that uses a forking workflow for development, if I revoke a users access to the project, they will still have access to their fork. This is particularly problematic on GitLab.com where the users account contains both personal and work projects:
- this requires a well intentioned user to manually delete on GitLab
- this makes it easy for an ill intentioned user to retain a copy of the project
Further details
The proposal would make GitLab and GitHub's forking models (https://help.github.com/en/articles/removing-organization-members-from-a-team) consistent:
If you remove a person’s access to a private repository, any of their forks of that private repository are deleted. Local clones of the private repository are retained. If a team's access to a private repository is revoked or a team with access to a private repository is deleted, and team members do not have access to the repository through another team, private forks of the repository will be deleted.
Proposal
When a user is removed from a project or group in GitLab:
- all personal forks of private projects should become inaccessible
- all other forks where none of the owners have permission to access the upstream project
Existing forks
Existing forks will need to be handled with some care to prevent unexpected data loss.
Currently, if a user loses access to a private project, they will retain access to those forks. The GitLab.com Support Team will not delete them.
Therefore, we should remove the fork relationship from pre-existing private forks where the owner no longer has access to the upstream fork. This will prevent these projects unexpectedly being removed.