Group owner cannot enable/disable specific-runners which was registered in a project under a subgroup
Summary
ZD: https://gitlab.zendesk.com/agent/tickets/87005
Steps to reproduce
- UserA creates a group
group-a
. UserA is a group owener, so he has access to all resources. - UserA creates a subgroup
group-a/subgroup-a
- UserA creates a project
group-a/subgroup-a/project-a
- UserB creates a subgroup
group-a/subgroup-b
- UserB creates a project
group-a/subgroup-b/project-b
- UserB registers a specific-runner in
group-a/subgroup-b/project-b
- UserB can enable/disable the specific-runner in
group-a/subgroup-b/project-b
- UserA can enable/disable the specific-runner in
group-a/subgroup-b/project-b
- UserA can NOT enable/disable the specific-runner in
group-a/subgroup-a/project-a
<- BUG
What is the current bug behavior?
- UserA can NOT enable/disable the specific-runner in
group-a/subgroup-a/project-a
<- BUG
What is the expected correct behavior?
- UserA can enable/disable the specific-runner in
group-a/subgroup-a/project-a
Possible fixes
This code doesn't take subgroups into account. Too old.
# app/models/user.rb
def ci_authorized_runners
@ci_authorized_runners ||= begin
runner_ids = Ci::RunnerProject
.where("ci_runner_projects.project_id IN (#{ci_projects_union.to_sql})") # rubocop:disable GitlabSecurity/SqlInjection
.select(:runner_id)
Ci::Runner.specific.where(id: runner_ids)
end
end
def ci_projects_union
scope = { access_level: [Gitlab::Access::MASTER, Gitlab::Access::OWNER] }
groups = groups_projects.where(members: scope)
other = projects.where(members: scope)
Gitlab::SQL::Union.new([personal_projects.select(:id), groups.select(:id),
other.select(:id)])
end
/cc @ayufan @yorickpeterse @bikebilly @arihantar
Related: https://gitlab.com/gitlab-com/infrastructure/issues/3536
Edited by Dylan Griffith