Prevent project maintainers from creating or modifying Project Owners
What does this MR do and why?
Split off from https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2335/ (where there is a lot of discussion
This MR prevents a project maintainer from doing the following in the project:
- creating an OWNER member
- promoting non-owners to OWNER
- demoting an OWNER member
- destroying an OWNER
How to set up and validate locally
master
branch
On Given a project (id 42
), a non-admin project maintainer user (id 25
), and an unrelated user (id 70
) use the API to do the following:
- Create a new OWNER member with another user
$ curl --request POST --header "PRIVATE-TOKEN: glpat-<token>" --data "user_id=70&access_level=50" "https://gdk.test:3443/api/v4/projects/42/members"
{"id":70,"username":"test1","name":"super person","state":"active","avatar_url":"https://snip","web_url":"https://gdk.test:3443/test1","access_level":50,"created_at":"2022-03-29T09:09:16.005Z","expires_at":null,"membership_state":"active"}
- Promote another user to OWNER
$ curl --request PUT --header "PRIVATE-TOKEN: glpat-<token>" "https://gdk.test:3443/api/v4/projects/42/members/70?access_level=50"
{"id":70,"username":"test1","name":"super person","state":"active","avatar_url":"https://snip","web_url":"https://gdk.test:3443/test1","access_level":50,"created_at":"2022-03-29T09:09:16.005Z","expires_at":null,"membership_state":"active"}
- Demote another user from OWNER (you'll have to promote someone OR set OWNER via console because the UI doesn't allow it yet)
$ curl --request PUT --header "PRIVATE-TOKEN: glpat-<token>" "https://gdk.test:3443/api/v4/projects/42/members/70?access_level=20"
{"id":70,"username":"test1","name":"super person","state":"active","avatar_url":"https://snip","web_url":"https://gdk.test:3443/test1","access_level":20,"created_at":"2022-03-29T09:09:16.005Z","expires_at":null,"membership_state":"active"}
- Promote self to OWNER
$ curl --request PUT --header "PRIVATE-TOKEN: glpat-<token>" "https://gdk.test:3443/api/v4/projects/42/members/25?access_level=50"
{"id":25,"username":"user25","name":"Aleen Lehner","state":"active","avatar_url":"https://snip","web_url":"https://gdk.test:3443/user25","access_level":50,"created_at":"2022-03-07T23:49:28.006Z","expires_at":null,"membership_state":"active"}
- Destroy an existing OWNER membership
$ curl --request DELETE --header "PRIVATE-TOKEN: glpat-<token>" "https://gdk.test:3443/api/v4/projects/42/members/132"
On this branch
Try the above, and they should not work - 403 Forbidden should be the result (see spec/requests/api/members_spec.rb
for exact error codes)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by charlie ablett