User with inherited membership don't have access to shared group when querying the API
Steps to reproduce
- Set up the following group hierarchy:
-
Organization
group-
Projects
subgroup -
Users
subgroup
-
- Create a group-group share:
- share
Projects
subgroup withUsers
subgroup.
-
Add
user
asowner
ofOrganization
-
create a
PersonalAccessToken
foruser
withapi
scope -
curl --header "PRIVATE-TOKEN: " "http://localhost:3000/api/v4/groups/<group ID of
projects
>"
What is the current bug behavior?
shared_with_groups
attribute is empty.
What is the expected correct behavior?
shared_with_groups
attribute should include Users
group.
With the current behaviour, user
must be a direct member of Users
group to be able to query the details of shared_with_groups
, which shouldn't be required.
Possible fixes
Seems there's a bug where we check if the group is visible to the user.
Edited by Imre Farkas