Admin users cannot see UI elements in requirements page unless they are directly added to project
Summary
Multiple users with admin role are unable to see UI elements in the requirements panel; the view served appears as if an Auditor user is viewing. The customer cannot share screenshots from their instances, as they are an air-gapped US federal customer. Below is a representation of what they see while acting as admin.
Problematic behavior:
Versus expected behavior as shown in the docs:
Steps to reproduce
GitLab.com example
- Create a requirement in a project.
- View as Admin without admin being a member of the project or group.
Customer example details
The customer can reproduce by navigating to the requirements section of any project of which they are not a member.
From troubleshooting with the customer:
- The problem affects multiple admin users
- Does not persist when impersonating project members with reporter or higher
- Persists while impersonating admin users who cannot see requirements while signed in as themselves
- Persists across three Omnibus instances of different versions
- 14.6.6
- 14.8.5
- 14.9.2
- All instances use separate databases
- The customer reports this started after upgrading beyond 14.5
- The behavior is mitigated by adding the admin to the project directly as reporter or higher, after which they can see and interact with UI elements in requirements page as expected
- No missing UI elements from other areas in the UI (to our knowledge)
- If admins explicitly grant themselves membership to the project, they can see and interact with the requirements UI elements
- Watching GraphQL in browser console; returns different responses when accessing the project as an admin vs as a direct member.
Expand browser console responses
As admin:
userPermissions: {updateRequirement: false, adminRequirement: false, __typename: "RequirementPermissions"}
adminRequirement: false
updateRequirement: false
__typename: "RequirementPermissions"
__typename: "Requirement"
As a direct member with reporter role or higher:
userPermissions: {updateRequirement: true, adminRequirement: true, __typename: "RequirementPermissions"}
adminRequirement: true
updateRequirement: true
__typename: "RequirementPermissions"
__typename: "Requirement"
Example Project
https://gitlab.com/gitlab-gold/ci-basic-tests/ci-only/-/requirements_management/requirements
What is the current bug behavior?
Admins cannot view UI elements when viewing requirements in projects to which they are not direct members.
What is the expected correct behavior?
Admins should receive all permissions as outlined in the docs.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Edit the policy to be reporter | admin
in https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/policies/ee/project_policy.rb#L376
Also updated spec file: https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/spec/support/shared_examples/policies/requirement_policy_shared_examples.rb#L32