search

marketing-factory / oauth2

Generic OAuth2 authentication and authorization for TYPO3 CMS
Other
9 stars 18 forks source link

Editors get admin rights without having necessary user level in gitlab #19

Closed garbast closed 4 years ago

garbast commented 4 years ago

The json example below is the result of the following call: $project = $gitlabClient->projects->show($this->projectName);

The user self is only member in Redakteure but gets access_level as if he is member of DeveloperIntern. The result is, that an normal editor get admin access.

This is because there is no check if the user is member of an group in:

            if (isset($project['shared_with_groups']) && is_array($sharedGroups = $project['shared_with_groups'])) {
                foreach ($sharedGroups as $sharedGroup) {
                    $accessLevel = max($accessLevel, $sharedGroup['group_access_level']);
                }
            }

Installiert ist laut composer.lock diese Version:

            "name": "mfc/oauth2",
            "version": "1.1.1",
            "source": {
                "type": "git",
                "url": "https://github.com/marketing-factory/oauth2.git",
                "reference": "68feb88c5b0c9095056e826613bfc48ed0def50b"
            },

Der Gitlab Server ist GitLab12.6.4 (70900054dfe)

{"id":30,"description":"","name":"Website2019","name_with_namespace":"wmd \/ Website2019","path":"website2019","path_with_namespace":"wmd\/website2019","created_at":"2019-06-04T15:21:08.240Z","default_branch":"develop","tag_list":[],"ssh_url_to_repo":"git@server:wmd\/website2019.git","http_url_to_repo":"https:\/\/server\/wmd\/website2019.git","web_url":"https:\/\/server\/wmd\/website2019","readme_url":null,"avatar_url":null,"star_count":0,"forks_count":1,"last_activity_at":"2020-01-20T07:49:53.357Z","namespace":{"id":40,"name":"Wir machen das","path":"wmd","kind":"group","full_path":"wmd","parent_id":null,"avatar_url":null,"web_url":"https:\/\/server\/groups\/wmd"},"_links":{"self":"https:\/\/server\/api\/v4\/projects\/30","issues":"https:\/\/server\/api\/v4\/projects\/30\/issues","merge_requests":"https:\/\/server\/api\/v4\/projects\/30\/merge_requests","repo_branches":"https:\/\/server\/api\/v4\/projects\/30\/repository\/branches","labels":"https:\/\/server\/api\/v4\/projects\/30\/labels","events":"https:\/\/server\/api\/v4\/projects\/30\/events","members":"https:\/\/server\/api\/v4\/projects\/30\/members"},"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":false,"container_registry_enabled":true,"issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","shared_runners_enabled":true,"lfs_enabled":true,"creator_id":5,"import_status":"none","open_issues_count":0,"ci_default_git_depth":null,"public_jobs":true,"build_timeout":3600,"auto_cancel_pending_pipelines":"enabled","build_coverage_regex":null,"ci_config_path":null,"shared_with_groups":[{"group_id":4,"group_name":"DeveloperIntern","group_full_path":"developerintern","group_access_level":30,"expires_at":null},{"group_id":43,"group_name":"Redakteure","group_full_path":"redakteure","group_access_level":20,"expires_at":null}],"only_allow_merge_if_pipeline_succeeds":false,"request_access_enabled":false,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":null,"printing_merge_request_link_enabled":true,"merge_method":"merge","auto_devops_enabled":false,"auto_devops_deploy_strategy":"continuous","permissions":{"project_access":null,"group_access":null}}

sfsmfc commented 4 years ago

Issue is solves by #22