Users with developer access cannot access custom group-level project templates
Summary
Users that are granted developer access to a group, and can create projects in the group, cannot access the custom group-level project templates on the new project page. The documentation for group-level project templates doesn't mention this restriction. If a user can create a project within a group, they should have access to the group's project templates.
Currently, the user needs to be a maintainer or owner of the subgroup where the templates are stored for them to have access to the templates when creating a new project in the parent group.
Steps to reproduce
- As an admin, enable the custom group-level project templates to a parent group via the Group Settings -> General -> Custom Project Templates. Set a subgroup within the group as the custom project template source for this group.
- Add a template within that subgroup.
- Impersonate a user with developer access to the parent group.
- Create a new project within the group as the developer, and choose the Create from Template tab.
- There are no group level project templates available.
- If you try steps 3-5 as a maintainer or owner of the group, you'll see group-level project templates available.
What is the current bug behavior?
Developers can't access custom group-level project templates when creating projects within a group.
What is the expected correct behavior?
Developers should be able to access the custom group-level project templates when creating projects within a group.
Output of checks
(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)
Results of GitLab environment info
Expand for output related to GitLab environment info
ystem information System: Ubuntu 16.04 Proxy: no Current User: git Using RVM: no Ruby Version: 2.5.3p105 Gem Version: 2.7.6 Bundler Version:1.17.3 Rake Version: 12.3.2 Redis Version: 3.2.12 Git Version: 2.18.1 Sidekiq Version:5.2.5 Go Version: unknown
GitLab information Version: 11.10.0-ee Revision: dfa95630be4 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 9.6.11 URL: http://198.199.92.126 HTTP Clone URL: http://198.199.92.126/some-group/some-project.git SSH Clone URL: git@198.199.92.126:some-group/some-project.git Elasticsearch: yes Geo: no Using LDAP: yes Using Omniauth: yes Omniauth Providers: saml, group_saml
GitLab Shell Version: 9.0.0 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 9.0.0 ? ... OK (9.0.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain LDAP authentication... Failed. Check
bind_dn
andpassword
configuration values LDAP users with access to your GitLab server (only showing the first 100 results) Server: ldapsecondary LDAP authentication... Failed. Checkbind_dn
andpassword
configuration values LDAP users with access to your GitLab server (only showing the first 100 results)Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 46/1 ... yes 46/2 ... yes 46/3 ... yes 46/4 ... yes 47/5 ... yes 47/6 ... yes 47/8 ... yes 47/9 ... yes 47/10 ... yes 47/11 ... yes 48/12 ... yes 48/13 ... yes 48/14 ... yes 48/15 ... yes 48/16 ... yes 48/17 ... yes 49/18 ... yes 49/19 ... yes 49/20 ... yes 49/21 ... yes 49/22 ... yes 49/23 ... yes 49/24 ... yes 49/25 ... yes 49/26 ... yes 49/27 ... yes 50/28 ... yes 50/29 ... yes 50/30 ... yes 50/31 ... yes 50/32 ... yes 50/33 ... yes 50/34 ... yes 51/35 ... yes 51/36 ... yes 51/37 ... yes 51/38 ... yes 51/39 ... yes 51/40 ... yes 51/41 ... yes 51/42 ... yes 51/43 ... yes 52/44 ... yes 52/45 ... yes 52/46 ... yes 52/47 ... yes 52/48 ... yes 52/49 ... yes 52/50 ... yes 52/51 ... yes 53/52 ... yes 53/53 ... yes 53/54 ... yes 53/55 ... yes 53/56 ... yes 53/57 ... yes 53/58 ... yes 53/59 ... yes 54/60 ... yes 54/61 ... yes 54/62 ... yes 55/63 ... yes 55/64 ... yes 56/65 ... yes 56/66 ... yes 56/67 ... yes 57/68 ... yes 57/69 ... yes 57/70 ... yes 57/71 ... yes 57/72 ... yes 57/73 ... yes 58/74 ... yes 58/75 ... yes 58/76 ... yes 58/77 ... yes 58/78 ... yes 59/79 ... yes 59/80 ... yes 59/81 ... yes 59/82 ... yes 59/83 ... yes 59/84 ... yes 59/85 ... yes 60/86 ... yes 60/87 ... yes 60/88 ... yes 60/89 ... yes 60/90 ... yes 1/91 ... yes 60/92 ... yes 1/93 ... yes 83/94 ... yes 83/95 ... yes 83/96 ... yes 84/97 ... yes 84/98 ... yes 84/99 ... yes 84/100 ... yes 85/101 ... yes 85/102 ... yes 85/103 ... yes 86/104 ... yes 86/105 ... yes 86/106 ... yes 86/107 ... yes 86/108 ... yes 87/109 ... yes 87/110 ... yes 88/111 ... yes 88/112 ... yes 88/113 ... yes 89/114 ... yes 89/115 ... yes 90/116 ... yes 90/117 ... yes 90/118 ... yes 90/119 ... yes 91/120 ... yes 91/121 ... yes 91/122 ... yes 91/123 ... yes 91/124 ... yes 98/125 ... yes 91/126 ... yes 110/127 ... yes 60/128 ... yes 60/129 ... yes 60/130 ... yes 1/131 ... yes 1/132 ... yes 1/133 ... yes 1/134 ... yes 1/135 ... yes 1/136 ... yes 1/137 ... yes 60/138 ... yes 111/139 ... yes 1/140 ... yes 1/141 ... yes 1/142 ... yes 104/143 ... yes 1/144 ... yes 1/145 ... yes 1/146 ... yes 1/147 ... yes 114/148 ... yes 1/149 ... yes 1/150 ... yes 117/151 ... yes 118/152 ... yes 119/153 ... yes 1/154 ... yes 60/155 ... yes 1/156 ... yes 1/157 ... yes 60/158 ... yes 121/159 ... yes 91/160 ... yes 1/161 ... yes 128/162 ... yes 1/163 ... yes 1/164 ... yes 121/165 ... yes 115/166 ... yes 115/167 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.5.3) Git version >= 2.18.0 ? ... yes (2.18.1) Git user has default SSH configuration? ... yes Active users: ... 75 Elasticsearch version 5.6 - 6.x? ... yes (6.6.1)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
The user access is set to Maintainer in this line of code, which restricts the groups with custom templates found to those that the user is a maintainer or owner of. If the user is a developer and can create a new project, the access should be at Developer, which will return the subgroups with the templates.
cc/ @jeremy