Bot accounts created using Group Access Token can create projects in their personal namespace using Rest API
Summary
If a user creates a Group Access Token, this will automatically create a bot account. There are two problematic behaviors we are seeing at the moment:
- Using the Group Access Token, the user can create a project under the bot account namespace using Project API.
- (handled via separate issue)
When the Group Access Token is revoked, the bot account and corresponding project is not deleted as per our documentation.
Steps to reproduce
- Create a Group Access Token.
- Create Project under
namespace_id
of bot created for the corresponding Group Access Token using Project REST API. - Revoke the Group Access Token.
- Observed that the bot account and corresponding project is not deleted.
Example Project
- This is an example bot account.
- This is an example project. This seems to be visible to admin only.
What is the current bug behavior?
- The bot account and corresponding project is not deleted.
What is the expected correct behavior?
- The bot account and corresponding project should be deleted.
Relevant logs and/or screenshots
"json.class": [
"DeleteUserWorker"
...
"json.message": [
"DeleteUserWorker JID-83dba3af73e7ed86de63d0fe: fail: 0.132911 sec"
...
"json.error_message": [
"Project 36230810 can't be deleted"
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Related Case:
Edited by Jessie Young