Incorrect wording about existing groups in Group Share behaviour with Group Lock
Summary
Currently, our UI has this line about group shares under the Group Lock setting: Groups that have already been shared with a group outside [group] will still be shared, and this access will have to be revoked manually.
However, projects are not in fact accessible to users to an existing group share when the group lock feature is select (on).
We should clarify the documentation and UI text.
Steps to reproduce
- Create a group.
- In the top-level group, ensure the setting is select:
Prevent sharing a project within [group] with other groups
- Optional: Create a subgroup and a private project within.
- In a group, clear (deselect) the setting:
Prevent sharing a project within [group] with other groups
- Share a project with a group outside of the hierarchy, where at least one member is not a member of the new group.
- View the project with an outside-group member. At this point, it will be viewable.
- In the group, select (turn on) the setting:
Prevent sharing a project within [group] with other groups
- View the project with the outside-group member. Get a 404.
Example Project
- Parent: https://gitlab.com/groups/gitlab-gold/-/edit
- Subgroup: https://gitlab.com/groups/gitlab-gold/ci-basic-tests/-/edit
- Project: https://gitlab.com/gitlab-gold/ci-basic-tests/ci-only
- Note: This project is
Public
so currently the test user does not get a 404, but they cannot see anything set to "Project Members only" such as Security & Compliance. When set toPrivate
, they do get a 404.
- Note: This project is
Note: Prompted by customer (internal) https://gitlab.zendesk.com/agent/tickets/235387
What is the current bug behavior?
Existing group shares are not allowed access.
What is the expected correct behavior?
Existing group shares are allowed access.
Output of checks
GitLab.com, GitLab Enterprise Edition 14.3.0-pre 669e0259
Possible fixes
Temporary Workarounds
- Turn off the "Prevent sharing" (Group Lock) option at the relevant subgroup level.
- Add users as direct members with the appropriate role.
Edited by Cynthia "Arty" Ng