Group owner cannot remove their group from a project on which the group has lower than maintainer permissions
Summary
Discovered this through assisting a customer in a support ticket (internal only).
If a group is added to a personal namespace project as a Developer or lower, the owner of the group cannot remove their group as a member of the project. In fact, the group owner can't even see their group listed as member of the project on the project's members page, but the project does appear in the group's Shared Projects tab.
In the customer's case, their group was added to a project by a former employee. When the employee exited the organization, they were removed from the group. However, the association between the group and the private project remained, and because the group was originally added to the project as a Developer role, the group owner is unable to remove themselves from the project. A GitLab.com administrator was required to take action.
This probably shouldn't be allowed to happen; a group owner should have full control over their group and any relationships / associations.
Since this has, in my opinion, potential for abuse, I'm going to default this issue to confidential for now.
Steps to reproduce
- Have
Group A
wherein you are owner/maintainer.- Have a
2nd user
in this group with at least maintainer permissions
- Have a
- Have personal (private) project
Project B
, completely separate fromGroup A
, which the2nd user
is a owner of - On
Project B
, as2nd user
, invite the groupGroup A
as a developer or guest - Again as
2nd user
, remove yourself fromGroup A
- As owner of
Group A
, observer thatProject B
appears underGroup A
's Shared Projects tab - Again as owner/maintainer of
Group A
, navigate toProject B
members tab; you cannot remove the group. In fact, you don't even see the group listed
There is no way to remove the project from the group unless the owner/maintainer of Project B
removes the group, or and administrator takes action
Example Project
I have a Group A
here: https://gitlab.com/groups/keknet/-/shared
And a (private) Project B
here: https://gitlab.com/mod_keeen/you-can-never-leave/-/project_members
My 2nd user
is @mod_keeen
which I added to keknet
first, and then added Group A
to the private project. @mod_keeen
then left keknet
group.
As the owner of group keknet
, I do not have the ability to break the link between my group and the project.
What is the current bug behavior?
Group owner cannot remove their group from a private project that was previously shared with the group
What is the expected correct behavior?
Group owners should have complete control over which projects their group is a member of
Relevant logs and/or screenshots
View of the private project's members list as my user @kevenhughes:
View of the same page as the user @mod_keeen
(owner of the project):
Notice in the first screenshot, my user cannot even see that my group is a member of the project, let alone remove it
View of my group Shared Projects as my user @kevenhughes:
Output of checks
This happens on gitlab.com. I've also replicated on 13.3.6-ee (d7bc82f4b06)
Possible fixes
As far as I've observed, the only workaround is for the owner/maintainer of Project B
to remove the group Group A
, or have an administrator take the action
Proposed solution
Within the group itself, under Shared Projects, present the option fro owners/maintainers to leave a project / break the link between group <-> project.
Similar or related issues and MRs
gitlab-foss#1780 (closed)
!11941 (merged)
gitlab-foss#31080 (comment 53236296)
#20669 (closed)