Skip to content

Git over HTTP operations don't respect user.admin? when in admin_mode

Summary

When Admin Mode is enabled in GitLab - Git over HTTP operations normally available to Administrative users - e.g. cloning a project where the User is not otherwise a direct/inherited member of the project - are blocked with a NotFound error:

Cloning into 'admin-mode-test'...
remote: The project you were looking for could not be found or you don't have permission to view it.

This conflicts with the current documentation - which mentions:

The following access methods are not protected by Admin Mode:

  • Git client access (SSH using public keys or HTTPS using Personal Access Tokens).

Steps to reproduce

  1. Enable Admin Mode
  2. Try to clone a project as an administrative user that you do not otherwise have permissions to
  3. Clone operation results in a 404

Possible fixes

In theory, the around action that calls sessionless_bypass_admin_mode! for sessionless users should handle this.

However, the GitHttpController bypasses Devise and handles authentication on its own

It may be possible to utilize auth_user instead of the Devise current_user in both the sessionless_user? check as well as sessionless_bypass_admin_mode!

This worked in rudimentary local testing with a 14.7.0 instance. However, I'm unsure of all of the ramifications of using auth_user instead of current_user in SessionlessAuthentication.