Users invited from a group with maintainer max-role can create projects even if they are not maintainers on the invited group

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Today I was setting up a few projects with colleagues of mine and noticed this strange behaviour (that I need to double check in GDK) 🙂

Setup:

• We have group B used as a team members group (no projects inside, only used to quickly grant access to multiple users).
• We have group A where I wanted users from group B to be able to create projects.
• Users in group B all have developer access level.

Steps to reproduce:

• Users from group B weren't members of group A so they could go inside group A but the New project button wasn't present
• I invited group B to group A, so that users of group B have access to group A, with max-role set to maintainer (only maintainers can create projects)
• The New project button is now visible so a user was able to create a project BUT they didn't see the project's settings element on the sidebar
• I had to go to the members of group B and bump their access level to maintainer in order for them to be able to actually be maintainers on group A and see the project's settings page

So, two "bugs" maybe:

• Users added via a group with maintainer max-role can create projects even though the users are not maintainers of the invited group
• Even though the user created the project they are neither owners or maintainers so can't access settings