Skip to content

Achievements awarded by public namespace hide the namespace name for non-members

Summary

If a user is awarded an achievement, the namespace is shown as private for all users which are not a member of the awarding namespace, even if it is public.

Steps to reproduce

Visit https://gitlab.com/Taucher2003 while being logged in with an account that is not a member of gitlab-org or gitlab-org/achievements.

Example Project

What is the current bug behavior?

The namespace name is not shown, even for public namespaces

What is the expected correct behavior?

The namespace name is shown for public namespaces, even when I'm not a member

Relevant logs and/or screenshots

As member of gitlab-org As non-member of gitlab-org
image image

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Investigation

The namespace_type checks for the read_namespace ability: https://gitlab.com/gitlab-org/gitlab/-/blob/0c8898c51f3442578d47ae901ef20ba1512cbaa0/app/graphql/types/namespace_type.rb#L7

In the case of achievements, the namespace is currently always a group. So the group_policy applies.

This policy enables the read_namespace based on the has_access condition: https://gitlab.com/gitlab-org/gitlab/-/blob/0c8898c51f3442578d47ae901ef20ba1512cbaa0/app/policies/group_policy.rb#L176

The has_access condition is defined as having an access level other than NO_ACCESS: https://gitlab.com/gitlab-org/gitlab/-/blob/0c8898c51f3442578d47ae901ef20ba1512cbaa0/app/policies/group_policy.rb#L13

Edited by Christina Lohr