Admin user gets 403 when using the MR external status endpoint
Summary
As per the documentation, Admin users should have access to everything in a GitLab instance. This does not happen for the MR status check endpoint.
When the Admin user is not a member of a project with MR external status checks configured, the Admin gets a 403. This affects both GET and POST request types.
When you add a user to a project or group, you assign them a role. The role determines which actions they can take in GitLab.
If you add a user to both a project’s group and the project itself, the higher role is used
GitLab administrators have all permissions.
Steps to reproduce
- Create a project with a non-admin user
- Configure an MR status check
- Create an MR
- Hit the MR status check endpoint with an admin user
- A 403 is returned
Example Project
- GitLab Team Members: Please feel free to request access to the test project
What is the current bug behavior?
When the Admin user is not a member of a project with MR external status checks configured, the Admin gets a 403 when querying the MR external status checks endpoint.
What is the expected correct behavior?
The Admin user should be able to query the MR external status checks endpoint, regardless of being a member of the project or not.
Relevant logs and/or screenshots
{"message":"403 Forbidden"}
Output of checks
This bug happens on GitLab.com
Possible fixes
N/A