Inherited member permissions aren't applying
Summary
When making an API request UserA receives an empty response from the approval_rules
API.
Once UserA is given explicit "developer" access to the approval-groupA
Also, when adding a group comprised of members with inherited permissions from a parent group to approval rules, they are not appearing.
Empty Response
curl -X GET --header "PRIVATE-TOKEN: <UserA token with api>" https://gitlab.com/api/v4/projects/21372027/approval_rules
[{"id":518123,
"name":"approval-group",
"rule_type":
"regular",
"eligible_approvers":[],
"approvals_required":1,
"users":[],
"groups":[],
"contains_hidden_groups":true,
"protected_branches":[]
}]
Full response after adding explicit membership
curl -X GET --header "PRIVATE-TOKEN: <UserA token with api>" https://gitlab.com/api/v4/projects/21372027/approval_rules
[
{
"id":518123,
"name":"approval-group",
"rule_type":"regular",
"eligible_approvers":[
{
"id":4868295,
"name":"Michael Lussier",
"username":"m_lussier",
"state":"active",
"avatar_url":"https://assets.gitlab-static.net/uploads/-/system/user/avatar/4868295/avatar.png",
"web_url":"https://gitlab.com/m_lussier"
},
{
"id":7187833,
"name":"fakeman guylast",
"username":"fakemanguytest",
"state":"active",
"avatar_url":"https://secure.gravatar.com/avatar/4923321730d0485e3c6c0c65c95829be?s=80\u0026d=identicon",
"web_url":"https://gitlab.com/fakemanguytest"
}
],
"approvals_required":1,
"users":[
],
"groups":[
{
"id":9500267,
"web_url":"https://gitlab.com/groups/test-gold-group1/approval-groupa",
"name":"approval-groupA",
"path":"approval-groupa",
"description":"",
"visibility":"private",
"share_with_group_lock":false,
"require_two_factor_authentication":false,
"two_factor_grace_period":48,
"project_creation_level":"developer",
"auto_devops_enabled":null,
"subgroup_creation_level":"maintainer",
"emails_disabled":null,
"mentions_disabled":null,
"lfs_enabled":true,
"default_branch_protection":2,
"avatar_url":null,
"request_access_enabled":true,
"full_name":"test-gold-group / approval-groupA",
"full_path":"test-gold-group1/approval-groupa",
"created_at":"2020-09-25T19:46:57.692Z",
"parent_id":9500051,
"ldap_cn":null,
"ldap_access":null,
"marked_for_deletion_on":null
}
],
"contains_hidden_groups":false,
"protected_branches":[
]
}
]
Missing approvers from inherited group comprised of members with inherited permissions: https://gitlab.com/test-gold-group1/project-groupa/projecta
Steps to reproduce
UserA will have this "Empty Response" specifically with this setup:
groupA <-- UserA & UserB has developer access here
approval-group
A <-- UserB with developer access, group used for approval rule in project
project-group
A
projectA <-- approval rule linked to approval-group
UserA will have this "Full Response (expected)", UserA given explicit developer access to approval-groupA:
groupA <-- UserA & UserB has developer access here
approval-group
A <-- UserA given explicit "developer" access instead of just inherited
project-group
A
projectA <-- approval rule linked to approval-group
Complete successful API response for call to approval_rules
Example Project
groupA: https://gitlab.com/test-gold-group1
project-group A: https://gitlab.com/test-gold-group1/project-groupa
projectA: https://gitlab.com/test-gold-group1/project-groupa/projecta
approval-group A: https://gitlab.com/test-gold-group1/approval-groupa
What is the current bug behavior?
When making an API request UserA receives an empty response from the approval_rules
API.
What is the expected correct behavior?
When making an API request UserA receives an full response from the approval_rules
API without explicit "developer" access to approval-groupA.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)