Do not allow Group Access Token (bot user) to become the sole owner in a top-level group
Summary
-
This issue is very similar to:
However, the steps to replicate the issue are different and still possible to perform at this point in time.
It's possible for a Group Access token bot user to be the last explicit owner of a top-level group.
-
This is problematic on GitLab.com SaaS where no user can sign in as the bot user to change settings or re-add users.
-
This is problematic on self-managed GitLab instances where it may be more likely that users could erroneously delete a bot user while they're the sole owner of a top-level group, and thus end up removing all of the group's contents. For example, a bot user may inadvertently be removed if the intention is to create a new group access token with a different permission scope (since this can only be defined on initial token creation), or when it's unclear what the bot user is being used for.
- Caveat: At the time of writing, I am not currently aware of if there are legitimate use cases to allow these bot users to be sole owners of top-level groups on self-managed instances, but the argument against it on SaaS is pretty clear.
-
A Large self-managed Ultimate customer raised this concern after the removal of a bot user that inadvertently ended up as the sole-owner of a top-level group resulted in contribution deletions (subgroups and projects under the top-level group being removed).
Steps to reproduce
-
Create a top-level group
-
Add a Group Access Token with
Owner
role to the group.- (For the sake of this example use the
Owner
role, but be aware that you can set any role and end up with a bot user as a sole member of a group, irrespective of if they are anOwner
. The cause of this may be due to a separate outstanding issue)
- (For the sake of this example use the
-
Create a new subgroup
-
Invite a user to the subgroup (invite your own account for this example)
-
Invite the subgroup as a group member under the top-level group created in step 1, with the
Owner
role -
Leave the group as a direct member, which will be allowable:
-
At this point you can still access the top-level group as a member of the subgroup that was invited to the top-level group. Remove this group as a member of the top-level group.
-
The result is that the top-level group now only has the bot user as the sole owner.
What is the current bug behavior?
Bot users can be sole owner in a top-level group.
Note: It's possible to use the same reproduction steps to leave the bot user (or any user) as the sole member of a group, irrespective of their role, resulting in a top-level group with no Owner
at all. This has currently been raised in separate ongoing issues and may have crossover with some of the behavior demonstrated here.
- Groups can have no owner after deleting members
- Account owner being removed results in a group with no owner
What is the expected correct behavior?
Bot users should not be allowable as sole owners in top-level groups.
Output of checks
GitLab.com, GitLab Enterprise Edition 15.5.0-pre f6d32efc