Regression: read_vulnerability custom role should not show dependency list
Summary
On GitLab.com, when adding a member of a custom group based on Guest with read_vulnerability
access only, the user is able to see the dependency list.
The API returns the correct permission ( "read_dependency": false
) but it is ignored as the user is able to see the dependency list.
API call GET /groups/:id/members/:user_id
{
"id":,
"username": "",
"name": ",
"state": "active",
"locked": false,
"access_level": 10,
"created_at": "",
"created_by": {
"id": ,
"username": ",
"name": "",
"state": "active",
"locked": false,
},
"expires_at": "2024-02-15",
"membership_state": "active",
"member_role": {
"id":,
"group_id":,
"name": "Guest2",
"description": "",
"base_access_level": 10,
"admin_group_member": false,
"admin_merge_request": false,
"admin_terraform_state": false,
"admin_vulnerability": false,
"archive_project": false,
"manage_group_access_tokens": false,
"manage_project_access_tokens": false,
"read_code": false,
"read_dependency": false,
"read_vulnerability": true,
"remove_project": false
}
}
Steps to reproduce
1- Create a custom role on GitLab.com group based on Guest with only read-vulnerability checked
2- Add a user with this custom role
3- The user can access the group dependency list.
Tested on 16.2 (self-managed): it behaved as expected the same user cannot see the dependency list.