Fix protected branch access inherited from parent group (!11616) · Merge requests · GitLab.org / GitLab

You need to sign in or sign up before continuing.

Stan Hu requested to merge sh-fix-issue-11323 into master Apr 25, 2019

Suppose you have this configuration:

Subgroup hello/world
Subgroup hello/mergers.
Project hello/world/my-project has invited group hello/world to access protected branches.
The rule allows the group to merge but no one can push.
User newuser has Owner access to the parent group hello.

Even though newuser doesn't belong to hello/world, the user does belong to hello, and so should have permission to merge to protected branches. Besides, the user can't be added directly to hello/world because he is already an Owner.

To fix this, we expand the protected branch access to check to include membership in parent groups as well.

Closes #11323 (closed)

Edited Apr 26, 2019 by Stan Hu

Fix protected branch access inherited from parent group

Merge request reports