Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-15171

Gitlab authentication group sync returns groups despite user is not a member of it

    XMLWordPrintable

    Details

    • Edition:
      Community
    • Production Notes:
      None

      Description

      If a user is a member of the project foo/bar, the foo group will be returned with the current query even if he's not a member of that group.

      With group sync enabled, the user will be added to Sonar groups even though he's not a member of the Gitlab group.

      The /groups Gitlab API endpoint list all groups related to the Gitlab users, not only the groups on which the user is a member.

      Potential fix:
      The query should include the min_access_level set to 10 (guest access) to limit the returned list.

       

      Note: filtering with min_access_level=10 will filter out groups visible because of child sharing, for example:

      • Group1 <- user is not a member of this group, the group is private
      • Group1/project2 <- project2 is private and shared with Group2
      • Group2 <- Group2 is private, the user is a member of this group

      In this situation, with the existing implementation, the user would be sync in Group1. With min_access_level=10, they will be sync only with Group2.

        Attachments

          Activity

            People

            Assignee:
            pierre.guillot Pierre Guillot
            Reporter:
            jacek.poreda Jacek Poreda
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: