Do not allow Group Access Token (bot user) to become the sole owner in a top-level group

Summary

• This issue is very similar to:

  • Group access token (bot user) should not be last explicit top-level group owner

  However, the steps to replicate the issue are different and still possible to perform at this point in time.

It's possible for a Group Access token bot user to be the last explicit owner of a top-level group.

• This is problematic on GitLab.com SaaS where no user can sign in as the bot user to change settings or re-add users.

• This is problematic on self-managed GitLab instances where it may be more likely that users could erroneously delete a bot user while they're the sole owner of a top-level group, and thus end up removing all of the group's contents. For example, a bot user may inadvertently be removed if the intention is to create a new group access token with a different permission scope (since this can only be defined on initial token creation), or when it's unclear what the bot user is being used for.

  • Caveat: At the time of writing, I am not currently aware of if there are legitimate use cases to allow these bot users to be sole owners of top-level groups on self-managed instances, but the argument against it on SaaS is pretty clear.

• A Large self-managed Ultimate customer raised this concern after the removal of a bot user that inadvertently ended up as the sole-owner of a top-level group resulted in contribution deletions (subgroups and projects under the top-level group being removed).

  • Zendesk (internal use only)

Steps to reproduce

1. Create a top-level group

2. Add a Group Access Token with Owner role to the group.

   • (For the sake of this example use the Owner role, but be aware that you can set any role and end up with a bot user as a sole member of a group, irrespective of if they are an Owner. The cause of this may be due to a separate outstanding issue)

3. Create a new subgroup

4. Invite a user to the subgroup (invite your own account for this example)

5. Invite the subgroup as a group member under the top-level group created in step 1, with the Owner role

6. Leave the group as a direct member, which will be allowable:

7. At this point you can still access the top-level group as a member of the subgroup that was invited to the top-level group. Remove this group as a member of the top-level group.

8. The result is that the top-level group now only has the bot user as the sole owner.

   

What is the current bug behavior?

Bot users can be sole owner in a top-level group.

Note: It's possible to use the same reproduction steps to leave the bot user (or any user) as the sole member of a group, irrespective of their role, resulting in a top-level group with no Owner at all. This has currently been raised in separate ongoing issues and may have crossover with some of the behavior demonstrated here.

• Groups can have no owner after deleting members
• Account owner being removed results in a group with no owner

What is the expected correct behavior?

Bot users should not be allowable as sole owners in top-level groups.

Output of checks

GitLab.com, GitLab Enterprise Edition 15.5.0-pre f6d32efc