You should not be able to assign a reviewer to a merge request if they do not have access to the source repo

Summary

When you open a merge request, you can assign a reviewer to it that does not have access to that source repo. The reviewer is allowed to perform the merge, but can not see the source repo to review the code. Instead, they just get a 404 error. However, they can see the commit and diff, but it is really not useful without context. This issue is specifically a problem with a forked repository, since it creates a brand new repo without the same user access. The recommended action is to prevent users from assigning reviewers to a merge request that do not have access to the source repo.

Steps to reproduce

  1. User1 creates a new repo "user1/testrepo"
  2. User1 adds User2 as a developer
  3. User2 decides to fork the repo to create "user2/testrepo". No other members are added to it
  4. User2 makes some changes and commits the code
  5. User2 creates a merge request to merge "user2/testrepo" into "user1/testrepo" and assigns User1 as a reviewer
  6. User1 looks at the merge request and tries to review the code. Clicking the source branch link, displayed as "user2:master", results in a 404 error. Using the instructions in the "Check out branch" button results in the error "fatal: Could not read from remote repository.
  7. User1 can not review the code because they do not have access to "user2/testrepo".
  8. User1 blindly commits the code, because they have access to that, but not able to review the actual code

What is the current bug behavior?

The user opens a merge request and assigns a reviewer that does not have access to the source repo

What is the expected correct behavior?

The user should not be allowed to assign a reviewer to the merge request that does not have access to the source repo

Relevant logs and/or screenshots

$ git fetch git@gitlab.example.com:user2/repo.git master

GitLab: The project you were looking for could not be found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Output of checks

This bug happens on Gitlab Enterprise Edition and Gitlab Community Edition. I suspect that this is on Gitlab.com too.

Results of GitLab environment info

System information
System:		CentOS 7.3.1611
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	2.3.3p222
Gem Version:	2.6.6
Bundler Version:1.13.7
Rake Version:	10.5.0
Redis Version:	3.2.5
Git Version:	2.11.1
Sidekiq Version:4.2.7


GitLab information
Version:	9.1.3-ee
Revision:	e28218c
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	postgresql
DB Version:	9.6.1
URL:		https://gitlab.example.com
HTTP Clone URL:	https://gitlab.example.com/some-group/some-project.git
SSH Clone URL:	git@gitlab.example.com:some-group/some-project.git
Elasticsearch:	no
Geo:		no
Using LDAP:	yes
Using Omniauth:	yes
Omniauth Providers: github


GitLab Shell
Version:	5.0.2
Repository storage paths:
  • default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Checking GitLab Shell ...


GitLab Shell version >= 5.0.2 ? ... OK (5.0.2)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
15/3 ... ok
2/4 ... ok
10/5 ... ok
11/6 ... ok
82/7 ... ok
17/8 ... ok
30/29 ... ok
33/30 ... ok
36/31 ... ok
36/32 ... ok
36/33 ... ok
36/35 ... ok
36/36 ... ok
36/37 ... ok
38/38 ... ok
42/40 ... ok
43/41 ... ok
45/42 ... ok
7/43 ... ok
7/44 ... ok
7/45 ... ok
46/46 ... ok
79/47 ... ok
48/48 ... ok
2/49 ... ok
9/50 ... ok
49/51 ... ok
11/52 ... ok
81/54 ... ok
53/55 ... ok
2/56 ... ok
36/58 ... ok
55/59 ... ok
35/60 ... ok
42/61 ... ok
22/62 ... ok
61/63 ... ok
61/66 ... ok
62/69 ... ok
12/71 ... ok
63/72 ... ok
61/73 ... ok
64/74 ... ok
63/75 ... ok
5/76 ... ok
27/77 ... ok
67/79 ... ok
26/80 ... ok
15/81 ... ok
2/83 ... ok
26/84 ... ok
11/85 ... ok
71/87 ... ok
8/88 ... ok
8/89 ... ok
42/90 ... ok
80/91 ... ok
73/92 ... ok
72/93 ... ok
55/94 ... ok
75/96 ... ok
75/98 ... ok
72/99 ... ok
78/100 ... ok
76/101 ... ok
75/103 ... ok
42/104 ... ok
13/105 ... ok
38/107 ... ok
42/108 ... ok
77/109 ... ok
83/110 ... ok
12/111 ... ok
7/112 ... ok
7/113 ... ok
7/114 ... ok
84/116 ... ok
53/117 ... ok
11/118 ... ok
88/119 ... ok
88/120 ... ok
88/121 ... ok
42/122 ... ok
42/123 ... ok
38/124 ... ok
53/125 ... ok
38/126 ... ok
89/127 ... ok
7/128 ... ok
89/129 ... ok
78/132 ... repository is empty
45/133 ... ok
90/134 ... ok
38/135 ... ok
51/136 ... ok
11/137 ... ok
96/138 ... ok
68/139 ... ok
11/140 ... ok
89/141 ... ok
68/142 ... ok
13/143 ... ok
7/144 ... ok
68/145 ... ok
94/146 ... ok
93/147 ... ok
8/148 ... ok
93/149 ... ok
93/150 ... ok
64/151 ... ok
95/152 ... ok
96/153 ... ok
97/155 ... ok
21/156 ... ok
89/157 ... ok
28/158 ... ok
2/159 ... ok
69/160 ... ok
13/161 ... ok
87/162 ... ok
90/163 ... ok
13/164 ... ok
89/165 ... ok
90/166 ... ok
13/167 ... ok
105/168 ... ok
86/169 ... ok
13/170 ... ok
18/171 ... ok
18/172 ... ok
2/173 ... ok
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
Send ping to redis server: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Sidekiq ...


Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Checking Reply by email ...


IMAP server credentials are correct? ... yes
Init.d configured correctly? ... skipped (omnibus-gitlab has no init script)
MailRoom running? ... can't check because of previous errors


Checking Reply by email ... Finished


Checking LDAP ...


Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)



Checking LDAP ... Finished


Checking GitLab ...


Git configured with autocrlf=input? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory setup correctly? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
projects have namespace: ...
15/3 ... yes
2/4 ... yes
10/5 ... yes
11/6 ... yes
82/7 ... yes
17/8 ... yes
30/29 ... yes
33/30 ... yes
36/31 ... yes
36/32 ... yes
36/33 ... yes
36/35 ... yes
36/36 ... yes
36/37 ... yes
38/38 ... yes
42/40 ... yes
43/41 ... yes
45/42 ... yes
7/43 ... yes
7/44 ... yes
7/45 ... yes
46/46 ... yes
79/47 ... yes
48/48 ... yes
2/49 ... yes
9/50 ... yes
49/51 ... yes
11/52 ... yes
81/54 ... yes
53/55 ... yes
2/56 ... yes
36/58 ... yes
55/59 ... yes
35/60 ... yes
42/61 ... yes
22/62 ... yes
61/63 ... yes
61/66 ... yes
62/69 ... yes
12/71 ... yes
63/72 ... yes
61/73 ... yes
64/74 ... yes
63/75 ... yes
5/76 ... yes
27/77 ... yes
67/79 ... yes
26/80 ... yes
15/81 ... yes
2/83 ... yes
26/84 ... yes
11/85 ... yes
71/87 ... yes
8/88 ... yes
8/89 ... yes
42/90 ... yes
80/91 ... yes
73/92 ... yes
72/93 ... yes
55/94 ... yes
75/96 ... yes
75/98 ... yes
72/99 ... yes
78/100 ... yes
76/101 ... yes
75/103 ... yes
42/104 ... yes
13/105 ... yes
38/107 ... yes
42/108 ... yes
77/109 ... yes
83/110 ... yes
12/111 ... yes
7/112 ... yes
7/113 ... yes
7/114 ... yes
84/116 ... yes
53/117 ... yes
11/118 ... yes
88/119 ... yes
88/120 ... yes
88/121 ... yes
42/122 ... yes
42/123 ... yes
38/124 ... yes
53/125 ... yes
38/126 ... yes
89/127 ... yes
7/128 ... yes
89/129 ... yes
78/132 ... yes
45/133 ... yes
90/134 ... yes
38/135 ... yes
51/136 ... yes
11/137 ... yes
96/138 ... yes
68/139 ... yes
11/140 ... yes
89/141 ... yes
68/142 ... yes
13/143 ... yes
7/144 ... yes
68/145 ... yes
94/146 ... yes
93/147 ... yes
8/148 ... yes
93/149 ... yes
93/150 ... yes
64/151 ... yes
95/152 ... yes
96/153 ... yes
97/155 ... yes
21/156 ... yes
89/157 ... yes
28/158 ... yes
2/159 ... yes
69/160 ... yes
13/161 ... yes
87/162 ... yes
90/163 ... yes
13/164 ... yes
89/165 ... yes
90/166 ... yes
13/167 ... yes
105/168 ... yes
86/169 ... yes
13/170 ... yes
18/171 ... yes
18/172 ... yes
2/173 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.1.0 ? ... yes (2.3.3)
Your git bin path is "/opt/gitlab/embedded/bin/git"
Git version >= 2.7.3 ? ... yes (2.11.1)
Active users: 58


Checking GitLab ... Finished

Possible fixes

I am unable to provide the specific line of code. It would be a matter of restricting the populated list of users down to those with at least Reporter access to the repo. Basically, the user needs to be able to see the code and test it out in order to review it.