Skip to content

GitLab Next

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Draft: Update external user group and project policy

Review changes
Download
Patches
Plain diff

Serena Fang requested to merge sfang-external-user-policy into master Apr 12, 2021

Overview 2
Commits 1
Pipelines 1
Changes 6

What does this MR do?

#13515 (closed)

From the documentation, external users should not be able to create projects, subgroups, snippets, or fork projects. Previously, these rules weren't being applied, and external users still got the full permissions of the role they were added as. This MR enforces policies so that external users no longer have permission to create projects, subgroups, snippets, and fork projects.

Screenshots (strongly suggested)

Before:

When impersonating an external user with maintainer permission, I have the ability to create projects, subgroups, and snippets in a group I am in.

"New subgroup" and "New project" buttons appear in top right:

Clicking "New project" does indeed create a new project:

Clicking "New subgroup" does indeed create a new subgroup:

"New snippet" button appears:

Clicking "New snippet" does indeed create a new snippet:

Creating a snippet works in both projects within a group and in personal namespaces:

"Fork project" option appears:

Clicking "Fork" does indeed fork the project:

After:

Still impersonating the external user.

"New project" and "New subgroup" buttons no longer appear:

"Create blank project" option still appears in dropdown, but attempting to create a project gives an error:

Attempting to create a subgroup with http://127.0.0.1:3000/groups/new?parent_id=107 gives a 404:
I can still view snippets, but cannot create them:

Attempting to create a snippet with http://127.0.0.1:3000/external/external-project/-/snippets/new gives a 404.
"Fork project" button no longer appears:

Attempting to fork a project with http://127.0.0.1:3000/tajuana/Flight/-/forks/new gives a 404

Does this MR meet the acceptance criteria?

Conformity

📋 Does this MR need a changelog?
- I have included a changelog entry.
- I have not included a changelog entry because _____.
Documentation (if required)
Code review guidelines
Merge request performance guidelines
Style guides
Database guides
Separation of EE specific content

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Tested in all supported browsers
Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

Edited Apr 13, 2021 by Serena Fang

Merge request reports

Assignee Loading

Reviewers Loading

Request review from

Loading

Time tracking Loading

Loading