API: can't access subgroup runner with inherited role

Summary

API returns 403 when requesting information on a runner in a subgroup for an Owner inherited from parent group.

Steps to reproduce

1. Create a group or add userA as Owner to group.
2. Have userB create a subgroup. UserA has inherited Owner role.
3. Add runner to subgroup.
4. Try to get runner details via API.

According to original customer report, the user can add, but not list, show, update or remove a runner in their subgroup.

Example Project

Reproduced in private (sub)group.

Original report ZD (internal): https://gitlab.zendesk.com/agent/tickets/112734

What is the current bug behavior?

Get a 403.

What is the expected correct behavior?

Runner information returned.

Relevant logs and/or screenshots

Using a user who is an Owner in the parent group.

When attempting to access subgroup runner:

$ curl --header "PRIVATE-TOKEN: <token>" "https://gitlab.com/api/v4/runners/<id>"
{"message":"403 Forbidden  - No access granted"}

If accessing a different runner added at group level, it works fine:

$ curl --header "PRIVATE-TOKEN: <token>" "https://gitlab.com/api/v4/runners/<id>"
{"id":<id>,"description":"<name>","ip_address":"<ip>","active":true,"is_shared":false,"name":"<name>","online":true,"status":"online","tag_list":["<name>"],"run_untagged":false,"locked":true,"maximum_timeout":null,"access_level":"not_protected","version":"11.1.0","revision":"081978aa","platform":"<word>","architecture":"<word>","contacted_at":"2019-01-29T17:12:02.511Z","token":"<token>","projects":[],"groups":[{"id":<id>,"web_url":"https://gitlab.com/groups/<name>","name":"<name>"}]}

Output of checks

GitLab.com, 11.7.0-ee