Group push permissions can enforce project-level insecure settings
Problem to solve
Setting either "Reject unverified users" or "Reject unsigned commits" at the group level while they are unset on a project makes the corresponding checkbox un-selectable in Project → Settings → Push Rules and leaves the rule un-enforced on the project.
The docs are pretty clear that Group Push Rules apply to "newly created projects within the specific group", but do not mention that existing projects will not be able to change "Reject unverified users" or "Reject unsigned commits" once the group-level permission is set. This leaves the permissions in an uncertain state, as the unchecked & dimmed checkbox implies external management but does not apply the ostensible parent setting.
This is a confusing GUI state since it may not be clear that the group restrictions are not applied when checked at the group level. The checkboxes can only be updated by unchecking the group-level setting, editing the project, then enabling the group setting.
Steps to reproduce
- Create a group
- Create a project inside the group
- Deselect "Reject unverified users" & "Reject unsigned commits" in the project in Project → Settings → Push Rules
- Set "Reject unverified users" & "Reject unsigned commits" in Push Rules in the parent group
- Verify that "Reject unverified users" & "Reject unsigned commits" are now locked in "Off" state
- Push a commit from an unverified user to the project
- Verify that the commit completed
Example Project
https://gitlab.com/dharris-pages/permissions/
What is the current bug behavior?
Setting group-level permissions locks the project-level setting, sometimes forcing changing other permissions to update project-level settings.
What is the expected correct behavior?
The GUI should allow these permissions to be updated or offer to enforce group permissions on all child projects.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com.
Results of GitLab environment info
Reproduced on Gitlab.com GitLab Enterprise Edition 13.9.0-pre 0078d8eb
Proposal
- Stop disabling the 2 project-level inputs (
commit_committer_check
andreject_unsigned_commits
), regardless of the group-level input value. - Add an info tip to the group inputs: "This will only be used as the default value for new projects. This setting is not enforced and will not affect existing projects in any way."
- Add an explanation to the push rules documentation.
Out of scope
Ultimately we want the group-level behavior to be enforced, but it has been decided that is too much complexity to pursue right now.