Email invited members can join projects even after the member lock has been enabled
HackerOne report #1256967 by justas_b
on 2021-07-10, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
NOTE! Thanks for submitting a report! Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary
Email invites don't get revoked after the Member lock option has been turned on at group settings. More info: https://docs.gitlab.com/ee/user/group/#prevent-members-from-being-added-to-a-group
Steps to reproduce
- Create a group
- Create a project
- Send an invite to an email you own but haven't yet created a Gitlab account with
- Go to Settings -> General -> Permissions and turn on the Member lock option
- Create a Gitlab account with the email you've sent an invitation to
- When the account is created, it joins the project automatically
Examples
(If the bug is project related, please create an example project and export it using the project export feature)
(If you are using an older version of GitLab, this will also help determine whether the bug has been fixed in a more recent version)
(If the bug can be reproduced on GitLab.com without violating the Rules of Engagement
as outlined in the program policy, please provide the full path to the project.)
What is the current bug behavior?
New members can join projects when member lock is enabled
What is the expected correct behavior?
All email invites should be revoked when member lock is enabled
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
)
Impact
New members can join projects when the member lock option is enabled
Attachments
Warning: Attachments received through HackerOne, please exercise caution!