Skip to content

User access issues can impact as CODEOWNER approver functionality

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

A user (inherited Developer or higher role from top level group) that is a CODEOWNER, is showing in an MR as Codeowner approver. When this user is then removed from the top level group via SAML Group link (falling back to Minimal Access in that top level group) but still a Developer in the project) they are removed as a codeowner approver on that existing MR.

This seems to only happen when SAML Group Links are involved or at least in my tests manually changing the user's role assignments did not have this effect.

Steps to reproduce

  • set up a hierarchy as follows
.
└── GROUP1
    └── SUBGROUP1
        └── SUBGROUP2
            └── PROJECT
  • in PROJECT create a CODEOWNER file as follows
* user1@domain.com user2@domain.com user3@domain.com
  • in your SAML IDP create three groups (Maintainers, Guests and Developers) and initially add all three users to all three groups (tested here with Entra)
  • on GROUP1 add a SAML Group Link for Maintainers with Access Level Maintainer
  • on SUBGROUP1 add a SAML Group Link for Guests with Access Level Guest
  • on SUBGROUP2 add a SAML Group Link for Developers with Access Level Developer
  • make sure Code owner approval is enabled on the protected main branch
  • also enable Prevent approval by author in the project
  • sign in as user1@domain.com using SAML and create a new MR in PROJECT
  • both user2 and user3 will show up as codeowner approvers on the MR and if user2 signs in via SAML they are able to approve
  • sign out as user2
  • remove user2 from the Maintainers group in the IDP
  • sign in as user2 via SAML to the namespace
  • now the user is no longer showing as a codeowner approver on the MR even though they still have the Developer role on the project via the SAML Group Link on SUBGROUP2
  • only user3 will show as a valid codeowner approver
  • even re-adding user2 to the Maintainers group in the IDP and re-login does not re-add the user as a codeowner approver

Example Project

(internal only - https://gitlab.com/ah_group_premium/subgroup1/subgroup1-1/test_codeowner_approval)

What is the current bug behavior?

The change of role assignment via SAML Group Link in the parent groups impacts the codeowner approval. In addition, the behaviour is inconsistent, as re-adding the user to Maintainers should then revert this behaviour.

What is the expected correct behavior?

The change of role assignment via SAML Group Link in any of the parent groups should not have an impact on the codeowner approval.

Relevant logs and/or screenshots

  • both users showing (user2 logged in whilst being a member of Maintainers):

image

  • after user2 was removed from Maintainers and re-authentication via SAML

image

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of: \`sudo gitlab-rake gitlab:env:info\`) (For installations from source run and paste the output of: \`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\`)

Results of GitLab application Check

Expand for output related to the GitLab application check 

(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:check SANITIZE=true`)

(For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true`)

(we will only investigate if the tests are passing)

Possible fixes

Edited by 🤖 GitLab Bot 🤖