Git over HTTP operations don't respect user.admin? when in admin_mode
Summary
When Admin Mode is enabled in GitLab - Git over HTTP operations normally available to Administrative users - e.g. cloning a project where the User is not otherwise a direct/inherited member of the project - are blocked with a NotFound
error:
Cloning into 'admin-mode-test'...
remote: The project you were looking for could not be found or you don't have permission to view it.
This conflicts with the current documentation - which mentions:
The following access methods are not protected by Admin Mode:
- Git client access (SSH using public keys or HTTPS using Personal Access Tokens).
Steps to reproduce
- Enable Admin Mode
- Try to clone a project as an administrative user that you do not otherwise have permissions to
- Clone operation results in a
404
Possible fixes
In theory, the around action that calls sessionless_bypass_admin_mode!
for sessionless users should handle this.
However, the GitHttpController bypasses Devise and handles authentication on its own
It may be possible to utilize auth_user instead of the Devise current_user
in both the sessionless_user?
check as well as sessionless_bypass_admin_mode!
This worked in rudimentary local testing with a 14.7.0 instance. However, I'm unsure of all of the ramifications of using auth_user
instead of current_user
in SessionlessAuthentication.