Bot accounts created using Group Access Token can create projects in their personal namespace using Rest API

Summary

If a user creates a Group Access Token, this will automatically create a bot account. There are two problematic behaviors we are seeing at the moment:

  • Using the Group Access Token, the user can create a project under the bot account namespace using Project API.
  • (handled via separate issue) When the Group Access Token is revoked, the bot account and corresponding project is not deleted as per our documentation.

Steps to reproduce

  1. Create a Group Access Token.
  2. Create Project under namespace_id of bot created for the corresponding Group Access Token using Project REST API.
  3. Revoke the Group Access Token.
  4. Observed that the bot account and corresponding project is not deleted.

Example Project

  1. This is an example bot account.
  2. This is an example project. This seems to be visible to admin only.

What is the current bug behavior?

  1. The bot account and corresponding project is not deleted.

What is the expected correct behavior?

  1. The bot account and corresponding project should be deleted.

Relevant logs and/or screenshots

project_cannot_be_deleted kibana-logs.json

    "json.class": [
      "DeleteUserWorker"
...
    "json.message": [
      "DeleteUserWorker JID-83dba3af73e7ed86de63d0fe: fail: 0.132911 sec"
...
    "json.error_message": [
      "Project 36230810 can't be deleted"

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Related Case:

Edited by Jessie Young