Users can be added to group via API but not UI with LDAP group sync enabled
Found in Federal ticket 1420
When LDAP group sync is enabled and a GitLab group has an LDAP group link, then individual users cannot be manually added to the group via the UI.
However, using this API call to add a member to a group, a non-LDAP user can be added to the group. Here, I added @user_1
, who has id: 32
, to the group:
curl --request POST --header "PRIVATE-TOKEN: <token>" \
> --data "user_id=32&access_level=30" "https://gitlab.local/api/v4/groups/61/members"
{"id":32,"name":"User One","username":"user_1","state":"active","avatar_url":"https://secure.gravatar.com/avatar/be72a6287c41316db75b7bc8020024c8?s=80\u0026d=identicon","web_url":"https://gitlab.local/user_1","access_level":30,"created_at":"2021-10-05T19:33:52.934Z","expires_at":null
This can be confirmed in the UI, too.
Afterwards, trying to remove the user from the group using the API yields:
curl --request DELETE --header "PRIVATE-TOKEN: <token>" "https://gitlab.local/api/v4/groups/61/members/32"
{"message":"403 Forbidden"}
There also seems to be no way to remove this user from the group now.
This was reproduced in GitLab 14.3.
I've marked this issue as Confidential because of the security implications.
Proposal:
Looks like a missing authorization check on the REST API. Might be worth checking and addressing if there is a corresponding GraphQL endpoint like this as well that is also vulnerable?
We might also have to see why DELETE action is not permitted? It is good that it is not permitted but is that due to having the authorization check in place or due to some other bug?