Test PROXY protocol - Admins are not restricted by group allowlist
When using the group level setting Allow access to the following IP addresses
, even though my IP is not allowed as an Admin i'm still able to fully view and clone projects inside the restricted Group.
Based on https://staging.gitlab.com/help/user/group/index.md#restrict-group-access-by-ip-address
Administrators and group owners can access group settings from any IP address: Users with these permission levels can always
access the group settings, regardless of IP restriction, but they cannot access projects
belonging to the group when accessing from a disallowed IP address.
Some GitLab API endpoints will remain accessible from any IP: Users coming from denied IP addresses can still see group and project
names and hierarchies. Only the group (including all group resources)
APIs and project (including all project resources)
APIs are protected by IP address restrictions.
This states that even an Admin shouldn't be able to clone or view the projects.
Edited by Nick Westbury