Advanced Search fails to return results for users with inherited group membership through shared groups

Summary

Advanced Search does not return results for users who have access to a project through inherited group ownership combined with group sharing (double inheritance). The user can view the project and its code, but search returns no results.

Steps to reproduce

  1. Create the following group/project hierarchy:

    • Create Group1 (top-level group)
    • Create subgroup1 as a child of Group1
    • Create Project1 in a different location (not under Group1 or subgroup1)

  2. Set up permissions:

    • Add User A as a direct Owner of Group1
    • User A is now indirectly an owner of subgroup1 (via inheritance)
    • Invite subgroup1 with Reporter role to Project1

  3. Log in as User A and navigate to Project1:

    • Verify that User A can view the project
    • Verify that User A can see the code/files in the repository
    • Attempt to search for content within Project1 using Advanced Search.
      • On GitLab.com we use Exact code search(Zoekt). To force advanced search, add &search_type=advanced in the URL.

The issue does NOT reproduce if:

  • User A is a direct member of subgroup1
  • Group1 is invited to Project1
  • If Exact code search(Zoekt) is used

Example Project

What is the current bug behavior?

What is the expected correct behavior?

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Patch release information for backports

If the bug fix needs to be backported in a patch release to a version under the maintenance policy, please follow the steps on the patch release runbook for GitLab engineers.

Refer to the internal "Release Information" dashboard for information about the next patch release, including the targeted versions, expected release date, and current status.

High-severity bug remediation

To remediate high-severity issues requiring an internal release for single-tenant SaaS instances, refer to the internal release process for engineers.

Edited by 🤖 GitLab Bot 🤖