Skip to content

Non-root owners cannot assign custom roles

Summary

It has been identified that non-root group or project owners cannot assign custom roles.

Steps to reproduce

Set up user, group, project, and custom role

  1. As namespace/rootgroup owner, create a custom role named CR1 with developer+admin_vulnerability..
  2. Add user_A to a root group and assign either Guest/Reporter/Developer/Maintainer (not owner)
  3. Create subgroup_A
  4. Add a project_1 to subgroup_A
  5. Invite user_A to to subgroup_A as Owner

Impersonate userA for subgroup_A

  1. Within incognito mode, sign in as user_A and go to subgroup_A
  2. Go to /-/group_members of subgroup_A
  3. Click Invite members
  4. The dropdown should include CR1 on Invite modal.
  5. The dropdown should include CR1 for "max_role" on members page too.

Impersonate userA for project_1

  1. Within incognito mode, sign in as user_A and go to project_1
  2. Go to /-/project_members of project_1
  3. Click Invite members
  4. The dropdown should include CR1 on Invite modal.
  5. The dropdown should include CR1 for "max_role" on members page too.

Example Project

What is the current bug behavior?

Custom roles are not showing up in permission dropdowns if you are not the root group owner.

What is the expected correct behavior?

Non-root group owners should see custom roles in the dropdown.

Relevant logs and/or screenshots

Root group permission

image.png

subgroup_A permission

image.png

Missing custom roles from dropdown

image.png

image.png

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of: \\\`sudo gitlab-rake gitlab:env:info\\\`) (For installations from source run and paste the output of: \\\`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\\\`)

Results of GitLab application Check

Expand for output related to the GitLab application check 

(For installations with omnibus-gitlab package run and paste the output of: \`sudo gitlab-rake gitlab:check SANITIZE=true\`) (For installations from source run and paste the output of: \`sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true\`) (we will only investigate if the tests are passing)

Possible fixes

Edited by Joe Randazzo