Repository mirroring seems to keep pushing tags for blocked users

Today (2019-08-29) there was an incident in which a mirror of chromium seemingly continued pushing tags after the user got blocked. This is surprising considering that :access_git is disabled for blocked users.

Link to a point in the thread: https://gitlab.slack.com/archives/CB7P5CJS1/p1567081960010100

Steps to reproduce

• Create a public test repository
• In GDK (or on any instance where you have the ability to block users), with a test user, create a mirror of the test repo
• Block the test user
• Create a tag on the test repository
• Trigger a mirror update

Expected results

To be defined. Given that

1. the push is created in the name of the user, and
2. blocked users are not supposed to be able to access git

it would seem that mirroring should be disabled if the user who created the mirror gets blocked

Actual results

• Tags keep getting created on the mirror

See also

Similar issues about blocked users:

• https://gitlab.com/gitlab-org/gitlab-ce/issues/58801
• https://gitlab.com/gitlab-org/gitlab-ce/issues/59355
• https://gitlab.com/gitlab-org/gitlab-ce/issues/46103