Subgroup members cannot insert images into root group epics - Invalid JSON response from server
Summary
Members of subgroups cannot upload images to comments in the parent root group epics if they are not also a member of the root group. The dropzone gives a generic error Invalid JSON response from server
and there is a 404 behind the scenes:
Observed during investigation for ticket 495871. Additionally, as noted in this comment, this also affects non-members in public groups. For example a community member commenting in a gitlab-org
epic.
Steps to reproduce
- Create a private root group
- Create a private subgroup in the root group
- Create a dummy project in the subgroup
- Invite a user to the subgroup with any role, and do not invite that member to the root group
- Create an epic in the root group
- As the invited user, navigate to the epic
- Attempt to attach an image to a comment on the epic
- Observe error in drop zone and 404 with page inspector
Example Project
https://gitlab.com/djb_ultimate_group
Where dummy account service-test-db
is invited to djb_ultimate_group/495871-subgroup
and can comment on the 495871-epic
in djb_ultimate_group
, but is unable to attach a picture.
What is the current bug behavior?
The user is able to navigate to the parent group, open an epic and add comments/markdown, but when attempting to insert a picture in the comment drop zone, the Invalid JSON response from server
error is observed:
What is the expected correct behavior?
If it is intended that users able to comment on an epic should be able to add pictures to their comment, the correct behaviour should be to upload the selected file successfully and be able to post the comment.
If this is a permissions related issue where the user should be able to comment but should not be allowed to include image uploads, a descriptive error should inform the user this is the case, and this should be documented in our permission information relating to user uploads.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com