Incorrect access_level permissions returned by group members API & UI when listing all members including inherited members
Summary
When using GET /groups/:id/members/all
access_level
is not properly inherited from parent groups. UI shows wrong effective access_level
.
Steps to reproduce
- create a group
parent
- create a group
sub
in theparent
namespace - in the group
sub
add a member with anaccess_level
of20
(Reporter) - in the group
parent
add same member with anaccess_level
of30
(Developer)
Note that 3.
and 4.
steps should not be swapped because this would show a validation error.
Example groups
-
parent
: https://gitlab.com/groups/b-test-parent/-/group_members -
sub
: https://gitlab.com/groups/b-test-parent/sub/-/group_members
What is the current bug behavior?
- if you run
GET /groups/:id/members/all
onsub
group you'll seeaccess_level
20
(Reporter) for the member rather than expected30
(Developer)[{ "id": 5332, "name": "Ben Bodenmiller", "username": "bbodenmiller", "state": "active", "avatar_url": "https://assets.gitlab-static.net/uploads/-/system/user/avatar/5332/avatar.png", "web_url": "https://gitlab.com/bbodenmiller", "access_level": 50, "expires_at": null }, { "id": 331646, "name": "🙈 jacopo beschi 🙉", "username": "jacopo-beschi", "state": "active", "avatar_url": "https://secure.gravatar.com/avatar/692fb66988ac3863f360e846c1afc4f3?s=80&d=identicon", "web_url": "https://gitlab.com/jacopo-beschi", "access_level": 20, "expires_at": null }]
- check the group
sub
members UI you'll seeaccess_level
20
(Reporter) for the member rather than expected30
(Developer)
What is the expected correct behavior?
- if you run
GET /groups/:id/members/all
onsub
group you seeaccess_level
30
(Developer) for the member - check the group
sub
members UI you seeaccess_level
30
(Developer) for the member
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Possible fixes
Related to gitlab-foss#62284 (closed) and gitlab-foss!28887 (merged).
Perhaps something in https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/finders/group_members_finder.rb needs to be changed similar to in gitlab-foss!28887 (merged)?
-
Remove caution text added in !42305 (merged)
Edited by Ben Bodenmiller