Security policy bots can not be created when the group does not allow new users
Summary
If a group does not allow members to be added to projects in the group (documentation), security policy bot users can not be created.
Security policy bot members are normally created automatically when a security policy is added to a project. They are required to execute scheduled scan execution pipelines.
Steps to reproduce
- Create a group.
- Create a project in the group.
- Prevent members from being added to projects in the group.
- Create a new security policy.
- Check the members tab for the project and observe that there was no security policy bot added.
What is the current bug behavior?
Security policy bots will not be added to the project as expected.
What is the expected correct behavior?
Security policy bots should be added to the project despite the group setting.
Possible fixes
Avoid membership lock in case the user has the user_type
security_policy_bot
:
--- a/ee/app/models/ee/project_team.rb
+++ b/ee/app/models/ee/project_team.rb
@@ -21,7 +21,7 @@ def add_members(
override :add_member
def add_member(user, access_level, current_user: nil, expires_at: nil)
- if group_member_lock && !user.project_bot?
+ if group_member_lock && !(user.project_bot? || user.security_policy_bot?)
return false
end