Admin user gets 403 when using the MR external status endpoint

Summary

As per the documentation, Admin users should have access to everything in a GitLab instance. This does not happen for the MR status check endpoint.

When the Admin user is not a member of a project with MR external status checks configured, the Admin gets a 403. This affects both GET and POST request types.

Permissions documentation:

When you add a user to a project or group, you assign them a role. The role determines which actions they can take in GitLab.

If you add a user to both a project’s group and the project itself, the higher role is used

GitLab administrators have all permissions.

Steps to reproduce

Create a project with a non-admin user
Configure an MR status check
Create an MR
Hit the MR status check endpoint with an admin user
A 403 is returned

Example Project

GitLab Team Members: Please feel free to request access to the test project

What is the current bug behavior?

When the Admin user is not a member of a project with MR external status checks configured, the Admin gets a 403 when querying the MR external status checks endpoint.

What is the expected correct behavior?

The Admin user should be able to query the MR external status checks endpoint, regardless of being a member of the project or not.

Relevant logs and/or screenshots

{"message":"403 Forbidden"}

Output of checks

This bug happens on GitLab.com

Possible fixes

N/A

Edited Aug 21, 2024 by Grant Hickman