Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #342448
Closed
Open
Issue created Oct 05, 2021 by Harish Ramachandran@harishsrDeveloper

Users can be added to group via API but not UI with LDAP group sync enabled

Found in Federal ticket 1420

When LDAP group sync is enabled and a GitLab group has an LDAP group link, then individual users cannot be manually added to the group via the UI.

However, using this API call to add a member to a group, a non-LDAP user can be added to the group. Here, I added @user_1, who has id: 32, to the group:

curl --request POST --header "PRIVATE-TOKEN: <token>" \
>      --data "user_id=32&access_level=30" "https://gitlab.local/api/v4/groups/61/members"
{"id":32,"name":"User One","username":"user_1","state":"active","avatar_url":"https://secure.gravatar.com/avatar/be72a6287c41316db75b7bc8020024c8?s=80\u0026d=identicon","web_url":"https://gitlab.local/user_1","access_level":30,"created_at":"2021-10-05T19:33:52.934Z","expires_at":null

This can be confirmed in the UI, too.

Screen_Shot_2021-10-05_at_4.18.27_PM

Afterwards, trying to remove the user from the group using the API yields:

curl --request DELETE --header "PRIVATE-TOKEN: <token>" "https://gitlab.local/api/v4/groups/61/members/32"
{"message":"403 Forbidden"}

There also seems to be no way to remove this user from the group now.

This was reproduced in GitLab 14.3.

I've marked this issue as Confidential because of the security implications.

Proposal:

Looks like a missing authorization check on the REST API. Might be worth checking and addressing if there is a corresponding GraphQL endpoint like this as well that is also vulnerable?

We might also have to see why DELETE action is not permitted? It is good that it is not permitted but is that due to having the authorization check in place or due to some other bug?

Edited Mar 29, 2022 by Dominic Couture
Assignee
Assign to
Time tracking