Skip to content

Groups API: fix shared_with_groups to include all authorized groups

Jonas Wälter requested to merge siemens/gitlab:fix-authorized_groups-with-sub-groups into master

What does this MR do and why?

There is a bug in the Groups API when retrieving shared_with_groups of a group (Details of a group), see #322145 (closed) and #328428 (closed): For security reasons, the shared_with_groups list contains only those projects for which the calling user is authorized. That makes sense. However, a group to which the user has no direct membership but an inherited membership (parent group) is incorrectly not included in the list.

The bug is in the method User#authorized_groups (or more precisely User#authorized_groups_without_shared_membership), which according to its name should actually return all groups for which the user is authorized. But through inheritance, the user is also authorized for subgroups, which are incorrectly not returned.

Update: As User#authorized_groups should not be changed (!76556 (comment 783469022)), another fix must be applied.

This MR fixes this bug and solves #322145 (closed) and #328428 (closed).

🛠 with at Siemens

/cc @bufferoverflow

How to set up and validate locally

  1. Create public group Test-Group.
  2. Create private group Company and its private sub group Company/Sales.
  3. Visit members page of group Company and add user userX as member.
  4. Visit members page of group Test-Group and invite group Company/Sales (shared group).
  5. Get details of Test-Group group via API:
    • anonymous: curl http://localhost:3000/api/v4/groups/<id of Test-Group>
      Response: ..., "shared_with_groups":[], ...
    • as admin: curl --header "PRIVATE-TOKEN: <admin token>" http://localhost:3000/api/v4/groups/<id of Test-Group>
      Response: ..., "shared_with_groups":[{..., "group_name":"Sales", ...}], ...
    • as userX (before MR): curl --header "PRIVATE-TOKEN: <token of userX>" http://localhost:3000/api/v4/groups/<id of Test-Group>
      Response: ..., "shared_with_groups":[], ...
    • as userX (after MR): curl --header "PRIVATE-TOKEN: <token of userX>" http://localhost:3000/api/v4/groups/<id of Test-Group>
      Response: ..., "shared_with_groups":[{..., "group_name":"Sales", ...}], ...

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jonas Wälter

Merge request reports