Prevent existing undeleted user access to return true (!132380) · Merge requests · GitLab.org / GitLab

Patrick Cyiza requested to merge prevent-rogue-access-levels into master Sep 21, 2023

What does this MR do and why?

Prevent existing undeleted user access to return true

Some revoked inherited members of groups with personalized protected branch rules could still push to protected branches

This is a follow-up of: https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3562

See comments: https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3562#note_1566944380

Also see why security-fix-in-public https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3584#note_1568939593

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Sep 21, 2023 by Patrick Cyiza

Prevent existing undeleted user access to return true

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports