Skip to content

Group owner cannot remove their group from a project on which the group has lower than maintainer permissions

Summary

Discovered this through assisting a customer in a support ticket (internal only).

If a group is added to a personal namespace project as a Developer or lower, the owner of the group cannot remove their group as a member of the project. In fact, the group owner can't even see their group listed as member of the project on the project's members page, but the project does appear in the group's Shared Projects tab.

In the customer's case, their group was added to a project by a former employee. When the employee exited the organization, they were removed from the group. However, the association between the group and the private project remained, and because the group was originally added to the project as a Developer role, the group owner is unable to remove themselves from the project. A GitLab.com administrator was required to take action.

This probably shouldn't be allowed to happen; a group owner should have full control over their group and any relationships / associations.

Since this has, in my opinion, potential for abuse, I'm going to default this issue to confidential for now.

Steps to reproduce

  1. Have Group A wherein you are owner/maintainer.
    1. Have a 2nd user in this group with at least maintainer permissions
  2. Have personal (private) project Project B, completely separate from Group A, which the 2nd user is a owner of
  3. On Project B, as 2nd user, invite the group Group A as a developer or guest
  4. Again as 2nd user, remove yourself from Group A
  5. As owner of Group A, observer that Project B appears under Group A's Shared Projects tab
  6. Again as owner/maintainer of Group A, navigate to Project B members tab; you cannot remove the group. In fact, you don't even see the group listed

There is no way to remove the project from the group unless the owner/maintainer of Project B removes the group, or and administrator takes action

Example Project

I have a Group A here: https://gitlab.com/groups/keknet/-/shared
And a (private) Project B here: https://gitlab.com/mod_keeen/you-can-never-leave/-/project_members

My 2nd user is @mod_keeen which I added to keknet first, and then added Group A to the private project. @mod_keeen then left keknet group.

As the owner of group keknet, I do not have the ability to break the link between my group and the project.

What is the current bug behavior?

Group owner cannot remove their group from a private project that was previously shared with the group

What is the expected correct behavior?

Group owners should have complete control over which projects their group is a member of

Relevant logs and/or screenshots

View of the private project's members list as my user @kevenhughes:

screenshot-2020-09-18-12_37

View of the same page as the user @mod_keeen (owner of the project):

screenshot-2020-09-18-12_35

Notice in the first screenshot, my user cannot even see that my group is a member of the project, let alone remove it

View of my group Shared Projects as my user @kevenhughes:

screenshot-2020-09-18-12_45

Output of checks

This happens on gitlab.com. I've also replicated on 13.3.6-ee (d7bc82f4b06)

Possible fixes

As far as I've observed, the only workaround is for the owner/maintainer of Project B to remove the group Group A, or have an administrator take the action

Proposed solution

Within the group itself, under Shared Projects, present the option fro owners/maintainers to leave a project / break the link between group <-> project.

Similar or related issues and MRs

gitlab-foss#1780 (closed)
!11941 (merged)
gitlab-foss#31080 (comment 53236296)
#20669 (closed)

Edited by Michelle Gill