Project Wiki and Snippets accessible even when limited to project members only
Summary
I have a project set to internal, its group is also internal. The project has set the issues to "Everyone With Access", but the Reepository, Wiki and Snippets only to "Only Project Members".
Strangely, a logged-in user A which does not belong to the group or project above, can see the group, but does not see the project (typing the URL results in a 404). I'm surprised, I would have expected that the user could still access the Issue tracker but not the rest.
If I add this user A as Guest to the project, he can now see the project and access it. The Repository is not visible (only the README.md on the project page is visible, no cloning or downloading possible). But the Wiki and Snippets are still visible, even the "Private" snippets. This seems inconsistent.
I would like to know how to make a project Issue tracker visible to logged-in users, but not the code, wiki or snippets.
Steps to reproduce
- Create an internal group
- Create an internal project within that group
- Set the group permission according the screenshot below
- Create a foobar user with no access to the above group or project
- See if foobar can access the group or project
- Now modify foobar to be a guest of that project and see what it can access
Example Project
Not possible to create as GitLab.com does not support "Internal" type groups/projects.
We are on version 12.2.4 which is at the time of writing recent (the most recent being 12.2.5).
What is the current bug behavior?
- As a simple internal user, the project is not accessible/visible although it is internal and Issues are set to "Everyone with Access".
- As a guest user, the project is visible, but the repository is not visible whereas the wiki and snippets are, although all 3 have the "Only Project Members" permission.
What is the expected correct behavior?
- As a simple internal user, the project should be visible and only the Issue list accessible.
- As a guest user, I'm not sure what it should be but I would expect some consistency between repository, wiki and snippets.
Relevant logs and/or screenshots
None relevant.
Output of checks
Everything OK, see chapter after.
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Current User: git Using RVM: no Ruby Version: 2.6.3p62 Gem Version: 2.7.9 Bundler Version:1.17.3 Rake Version: 12.3.2 Redis Version: 3.2.12 Git Version: 2.22.0 Sidekiq Version:5.2.7 Go Version: unknownGitLab information Version: 12.2.4 Revision: fcd107681ab Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 10.9 URL: https://gitlab/gitlab HTTP Clone URL: https://gitlab/gitlab/some-group/some-project.git SSH Clone URL: git@gitlab:some-group/some-project.git Using LDAP: no Using Omniauth: yes Omniauth Providers: saml
GitLab Shell Version: 9.3.0 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 9.3.0 ? ... OK (9.3.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml [492/780] Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ...
-- truncated, but all output are something like "x/y ... yes" --
Redis version >= 2.8.0? ... yes Ruby version >= 2.5.3 ? ... yes (2.6.3) Git version >= 2.22.0 ? ... yes (2.22.0) Git user has default SSH configuration? ... yes Active users: ... 211
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)