"Edit permission" not possibe in subgroup of group with LDAP sync
Summary
Trying to override the permission of an LDAP user in a subgroup of the group that is set up with LDAP sync results in the error message "An error occurred while trying to enable LDAP override, please try again."
Steps to reproduce
- Create a new group
- Setup LDAP group sync for this group
- Create a new subgroup
- Navigate to the "Members" page
- Click on "Edit permissions" (the pencil icon) on any user with an LDAP badge
Example Project
Not possible, no LDAP sync on GitLab.com
What is the current bug behavior?
- Error "An error occurred while trying to enable LDAP override, please try again." is shown
- Backend throws an exception
What is the expected correct behavior?
Drop down under "Max role" becomes active and shows list of selectable roles and I can assign a new role.
Relevant logs and/or screenshots
Processing by Groups::GroupMembersController#override as JSON
Parameters: {"group_member"=>{"override"=>true}, "group_id"=>"xxx/yyy", "id"=>"1234"}
ActiveRecord::RecordNotFound (Couldn't find GroupMember with [WHERE "members"."type" = $1 AND "members"."source_id" = $2 AND "members"."source_type" = $3 AND "members"."requested_at" IS NULL AND "mem
bers"."access_level" != $4 AND "members"."id" = $5]):
ee/app/controllers/ee/groups/group_members_controller.rb:29:in `override'
ee/lib/gitlab/ip_address_state.rb:10:in `with'
ee/app/controllers/ee/application_controller.rb:44:in `set_current_ip_address'
app/controllers/application_controller.rb:499:in `set_current_admin'
lib/gitlab/session.rb:11:in `with_session'
app/controllers/application_controller.rb:490:in `set_session_storage'
lib/gitlab/i18n.rb:73:in `with_locale'
lib/gitlab/i18n.rb:79:in `with_user_locale'
app/controllers/application_controller.rb:484:in `set_locale'
lib/gitlab/error_tracking.rb:52:in `with_context'
app/controllers/application_controller.rb:549:in `sentry_context'
app/controllers/application_controller.rb:477:in `block in set_current_context'
lib/gitlab/application_context.rb:54:in `block in use'
lib/gitlab/application_context.rb:54:in `use'
lib/gitlab/application_context.rb:21:in `with_context'
app/controllers/application_controller.rb:469:in `set_current_context'
lib/gitlab/metrics/elasticsearch_rack_middleware.rb:16:in `call'
lib/gitlab/middleware/rails_queue_duration.rb:33:in `call'
lib/gitlab/metrics/rack_middleware.rb:16:in `block in call'
lib/gitlab/metrics/transaction.rb:61:in `run'
lib/gitlab/metrics/rack_middleware.rb:16:in `call'
lib/gitlab/request_profiler/middleware.rb:17:in `call'
lib/gitlab/jira/middleware.rb:19:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:21:in `call'
lib/gitlab/middleware/multipart.rb:234:in `call'
lib/gitlab/middleware/read_only/controller.rb:50:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/same_site_cookies.rb:27:in `call'
lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'
lib/gitlab/middleware/request_context.rb:23:in `call'
config/initializers/fix_local_cache_middleware.rb:9:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:76:in `call'
lib/gitlab/middleware/release_env.rb:12:in `call'
Completed 404 Not Found in 24ms (Views: 1.5ms | ActiveRecord: 5.4ms | Elasticsearch: 0.0ms | Allocations: 12192)
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Debian 10 Proxy: *snip* Current User: git Using RVM: no Ruby Version: 2.7.2p137 Gem Version: 3.1.4 Bundler Version:2.1.4 Rake Version: 13.0.1 Redis Version: 5.0.9 Git Version: 2.29.0 Sidekiq Version:5.2.9 Go Version: unknown GitLab information Version: 13.7.4-ee Revision: 368b4fb2eee Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 11.9 URL: *snip* HTTP Clone URL: *snip* SSH Clone URL: *snip* Elasticsearch: no Geo: no Using LDAP: yes Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 13.14.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.14.0 ? ... OK (13.14.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 100 users of 100 limit.
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 232/76 ... yes 158/79 ... yes 242/81 ... yes 249/84 ... yes 251/85 ... yes 254/86 ... yes 240/88 ... yes 259/89 ... yes Redis version >= 4.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.2) Git version >= 2.29.0 ? ... yes (2.29.0) Git user has default SSH configuration? ... yes Active users: ... 19 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x (6.4 - 6.x deprecated to be removed in 13.8)? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
Using the "Invite Member" form at the top of the page to "add" the same user with higher permissions works, but seems counter-intuitive to the user that faced this issue. If there is an "Edit permissions" in the user row, why isn't it usable? (And the same button works in the parent group where the LDAP sync is configured)
(I seem to remember that the "Edit permissions" button was hidden for LDAP users in subgroups in older versions of GitLab, but if it's there I expect it to do something useful ;))