Skip to content

Users with "read_code" ability get no results when searching for code

Summary

If a user with the custom role (that has a read_code ability enabled) tries to search for any code, they get no results. Considering this feature is available to Reporter members who also have the read_code policy enabled, we're thinking that users with this custom role should also have the ability to search for code.

According to the MR !103550 (merged), the read_code ability should allow users to use search, but this doesn't seem to be the case.

Steps to reproduce

  1. Pre-requisite - the group should have an Ultimate plan, as custom roles are only available on Ultimate;
  2. Create a subgroup;
  3. Invite user who is going to have Guest-custom role. We used the commands similar to examples we have documented to do it:
  • Add member role:
curl --request POST --header "Content-Type: application/json" --header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN" --data '{"base_access_level" : 10, "read_code" : true}' "https://gitlab.com/api/v4/groups/:group_id/member_roles"
  • Update user role
curl --request PUT --header "Content-Type: application/json" --header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN" --data '{"member_role_id": '191', "access_level": 10}' "https://gitlab.com/api/v4/groups/:group_id/members/:user_id"
  1. Signed in as a Guest - custom user, navigate to the group you're now a member of
  2. Search for any code examples (that can be found in projects of that group)

Example Project

https://gitlab.com/gitlab-gold/kategrechishkinatestgroup/dast-tests/openapi-example

This behavior was originally reported by our customer via the following Support request (internal link):

https://gitlab.zendesk.com/agent/tickets/434387

What is the current bug behavior?

Users with the "read_code": true ability do not see any code in search results.

What is the expected correct behavior?

Users with the "read_code": true ability should see code in search results.

Relevant logs and/or screenshots

A couple of screenshots for more context:

Click to expand

In the test group, we have two users - one with Reporter role, the other with the Guest - custom role. image

Abilities we set for the Guest - custom role:

{
    "id": 191,
    "group_id": 2564024,
    "name": "Guest - custom",
    "description": null,
    "base_access_level": 10,
    "read_code": true,
    "read_dependency": false,
    "read_vulnerability": false,
    "admin_vulnerability": false
  }

If a guest-custom user tries to look for the code line, there are no results shown: image__1_

At the same time, Reporter does see search results: image__2_

Output of checks

This bug happens on GitLab.com

Edited by Dima Serafin