'Roles allowed to create projects' restriction wrongly inherited from invited group
Summary
Users are unable to create projects in a group when the user's role was inherited from a group invite configured with Roles allowed to create projects = No One.
Steps to reproduce
- Start with a fresh user, without access to any other groups or namespaces
- Create Group
Developers - Configure Group
DeveloperswithRoles allowed to create projects = "No One" - Assign user
Danny Developerto this group with Developer access - Create and configure another group
ProjectswithRoles allowed to create projects = "Developers + Maintainers" - Invite group
DeveloperstoProjectswith Developer access. - Log in as
Danny Developer, and click on the "Create new project" button - Observe that the
Project URLoffers onlyDanny Developer's namespace and no option to search, i.e. it is not possible to create the project inProjects:
- Configure the
Developersgroup withRoles allowed to create projects = "Developers + Maintainers" - Attempt to create a new project in
Projectsand observe that it's possible to create a project in the group:
Example Project
https://gitlab.com/groups/dnldnz_ultimate_group/subgroup1/
What is the current bug behavior?
The Roles allowed to create projects setting appears to be incorrectly inherited from the source SAML group.
What is the expected correct behavior?
The Roles allowed to create projects setting on the target group should take precedence.
Workaround
Give "Developer" access to the user on any other group, under any namespace. This will cause the algorithm to also re-evaluate its access to group "Projects" as well, where it should have had permission to create projects in the first place.
Implementation plan
- Replace the existing code in User#several_namespaces? with a call to Groups::AcceptingProjectCreationsFinder and check if it return any group using the
.exists?or similar method. - Do manual testing, add specs, and compare the existing query plan with the new query plan.
Edited by 🤖 GitLab Bot 🤖