Users with "read_code" ability get no results when searching for code
Summary
If a user with the custom role (that has a read_code
ability enabled) tries to search for any code, they get no results. Considering this feature is available to Reporter members who also have the read_code
policy enabled, we're thinking that users with this custom role should also have the ability to search for code.
According to the MR !103550 (merged), the read_code
ability should allow users to use search, but this doesn't seem to be the case.
Steps to reproduce
- Pre-requisite - the group should have an Ultimate plan, as custom roles are only available on Ultimate;
- Create a subgroup;
- Invite user who is going to have
Guest-custom
role. We used the commands similar to examples we have documented to do it:
- Add member role:
curl --request POST --header "Content-Type: application/json" --header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN" --data '{"base_access_level" : 10, "read_code" : true}' "https://gitlab.com/api/v4/groups/:group_id/member_roles"
- Update user role
curl --request PUT --header "Content-Type: application/json" --header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN" --data '{"member_role_id": '191', "access_level": 10}' "https://gitlab.com/api/v4/groups/:group_id/members/:user_id"
- Signed in as a
Guest - custom
user, navigate to the group you're now a member of - Search for any code examples (that can be found in projects of that group)
Example Project
https://gitlab.com/gitlab-gold/kategrechishkinatestgroup/dast-tests/openapi-example
This behavior was originally reported by our customer via the following Support request (internal link):
https://gitlab.zendesk.com/agent/tickets/434387
What is the current bug behavior?
Users with the "read_code": true
ability do not see any code in search results.
What is the expected correct behavior?
Users with the "read_code": true
ability should see code in search results.
Relevant logs and/or screenshots
A couple of screenshots for more context:
Click to expand
In the test group, we have two users - one with Reporter
role, the other with the Guest - custom
role.
Abilities we set for the Guest - custom
role:
{
"id": 191,
"group_id": 2564024,
"name": "Guest - custom",
"description": null,
"base_access_level": 10,
"read_code": true,
"read_dependency": false,
"read_vulnerability": false,
"admin_vulnerability": false
}
If a guest-custom
user tries to look for the code line, there are no results shown:
Output of checks
This bug happens on GitLab.com