Minimal access role does not allow user to navigate to subgroup unless subgroup contains a project

Summary

As shown in the Manage:Access - Minimal Access with SSO for Gitlab.com a SAML user given minimal access at top level group and owner at subgroup level, should be able to access that inner group through the parent group. The current bug is if the user access the top level group they get a 404.

The only way for the user to access the subgroup is by knowing the URL.

Customer reported this behavior in zd-264153(internal)

Steps to reproduce

  • Have a SAML user with minimal access level role to parent group.
  • Grant owner access to a sub group.
  • Try to access parent group with the user in question.

Example Project

What is the current bug behavior?

User receives 404 on

What is the expected correct behavior?

User should be able to browse the the groups all the way down to the subgroup they have owner access to.

Relevant logs and/or screenshots

Video reproducing the issue Screen_Shot_2022-01-27_at_15.04.50 Screen_Shot_2022-01-27_at_15.05.20

A demo of the has_projects permission behavior used as a typical work around to this problem is available at https://youtu.be/VNzssD9VK0U

Output of checks

This bug happens on GitLab.com but it was confirm on v14.5.0-ee too

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Workaround

Create a dummy group with a dummy project and use group sync to assign guest role or higher to users with minimal access.

e.g

Main group/ #users granted minimal access as default role
   |-Dummy subgroup # use Gropu sync to assign all users guest access to this subgroup.
           |- Empty project # this project will allow users to login to group without 404
Edited by 🤖 GitLab Bot 🤖