Skip to content

Project cannot belong to bot user namespace

Jessie Young requested to merge jy-362683-group-access-token-bot-user-cannot-own-projects into master

What does this MR do and why?

  • Adding validation at the ActiveRecord level to prevent creation of projects within bot user namespaces via the Projects API
  • #362683 (closed)

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

  1. Create a group access token
  2. Use the group access token to create a project via the API (do not pass in namespace_id param so that the fallback is to create the project within the bot user's namespace) 
    curl --request POST --header "PRIVATE-TOKEN: $TOKEN" \
 --header "Content-Type: application/json" --data '{
    "description": "New Project", "path": "bot_project_3",
    "initialize_with_readme": "true"}' \
 --url 'http://localhost:3000/api/v4/projects/'
  3. An error should be returned indicating that a project can't be created in a bot user's namespace.
  4. You can also pull the namespace_id of the bot user from Rails console and try to pass that to curl: 
    rails c
User.last.namespace.id # because my last action was creating a group access token the last user is the group access token bot user
  => 77

curl --request POST --header "PRIVATE-TOKEN: $TOKEN" \
 --header "Content-Type: application/json" --data '{
    "description": "New Project", "path": "bot_project_4",
    "namespace_id": "77", "initialize_with_readme": "true"}' \
 --url 'http://localhost:3000/api/v4/projects/'
  5. An error should be returned indicating that a project can't be created in a bot user's namespace.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jessie Young

Merge request reports