'Roles allowed to create projects' restriction wrongly inherited from invited group

Summary

Users are unable to create projects in a group when the user's role was inherited from a group invite configured with Roles allowed to create projects = No One.

Steps to reproduce

  1. Start with a fresh user, without access to any other groups or namespaces
  2. Create Group Developers
  3. Configure Group Developers with Roles allowed to create projects = "No One"
  4. Assign user Danny Developer to this group with Developer access
  5. Create and configure another group Projects with Roles allowed to create projects = "Developers + Maintainers"
  6. Invite group Developers to Projects with Developer access.
  7. Log in as Danny Developer, and click on the "Create new project" button
  8. Observe that the Project URL offers only Danny Developer's namespace and no option to search, i.e. it is not possible to create the project in Projects:

Screenshot_2023-05-12_at_17.18.00

  1. Configure the Developers group with Roles allowed to create projects = "Developers + Maintainers"
  2. Attempt to create a new project in Projects and observe that it's possible to create a project in the group:

Screenshot_2023-05-12_at_17.14.58

Example Project

https://gitlab.com/groups/dnldnz_ultimate_group/subgroup1/

What is the current bug behavior?

The Roles allowed to create projects setting appears to be incorrectly inherited from the source SAML group.

What is the expected correct behavior?

The Roles allowed to create projects setting on the target group should take precedence.

Workaround

Give "Developer" access to the user on any other group, under any namespace. This will cause the algorithm to also re-evaluate its access to group "Projects" as well, where it should have had permission to create projects in the first place.

Implementation plan

  1. Replace the existing code in User#several_namespaces? with a call to Groups::AcceptingProjectCreationsFinder and check if it return any group using the .exists? or similar method.
  2. Do manual testing, add specs, and compare the existing query plan with the new query plan.
Edited Jun 13, 2025 by 🤖 GitLab Bot 🤖
Assignee Loading
Time tracking Loading