Netlify-cms: "Your GitLab user account does not have access to this repo" even though I'm repo owner

I found out that the problem lies on the fact that the project will not have explicit members since the members are being inherit from the Group above.
I don't know if this is an issue on the Gitlab or Netlify CMS side.

Sounds like a bug in our GitLab backend, would definitely welcome a PR to address. The related code is here:

https://github.com/netlify/netlify-cms/blob/a9f69f9ddc738db804ea3fd3e8b8b8a38aa6619f/packages/netlify-cms-backend-gitlab/src/API.js#L81-L91

Hey folks! I'm experiencing something similar on GitHub as well. I'm the repo owner of a private repo and I do get the same error message.

@ilrock this issue is due to a specific bug in the GitLab backend - I'd recommend asking in the community chat, as GitHub access issues are generally due to setup nuances.

@maxacarvalho I am unable to reproduce this issue. Created a repo(project) as a group owner, and I can see that I am added as a member of the project automatically and given group_access to the repo.

Hi @barthc

It goes like this:

When you create a repo as a group admin you will not be explicitly added to that repo as a member, you can check that if you use the Gitlab API, it returns an empty array.
That's fine since the repo inherits the permissions from the group.

But, what I found out with Netlify CMS is that when the member is not explicitly added to the repo the authentication will fail.

For now what I did was am API script that

1. Removes the member from the group
2. Adds the member to all repos
3. Adds the member to the group

After running the script above I can successfully login.

That's fine since the repo inherits the permissions from the group.

The CMS is also checking for repo group access.

Could you copy and paste what the GitLab api endpoint /projects/:id returns from your end under permissions before you run your script.

@barthc

I can't since the members are now all added to the repo directly.
But if you create a repo under a group and list the group members you will see that the API returns an empty array.

As I said from my end, yes /projects/:id/members return an empty array. Under permissions /projects/:id return something like so:

    "permissions": {
        "project_access": null,
        "group_access": {
            "access_level": 50,
            "notification_level": 3
        }
    },

and I am able to login. It would be nice if you can try to recreate the issue from scratch, and see what the initial permissions returns, It would help debug this issue further.

Hi @barthc

I really appreciate your help, I'm a bit overloaded atm but I promise to try it out as soon as possible (maybe during the weekend if my wife is in a good mood \o/ )

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Hi!

I've encountered this issue trying to implement group based permissions for access right management to the repositories and groups of my organization (on Gitlab).

I am thinking it is maybe due to this issue in Gitlab:
https://gitlab.com/gitlab-org/gitlab-foss/issues/39154

Therefore the group memberships, for being allowed to access a repository, would not be under the key permissions, but shared_with_groups.

Does it make sense to make something happen at netlify-cms's level?
I am not sure what would have to be implemented, but am interested in spending time into solving this.

Let me know if you have feedback!
Cheers

Hi @hugurp do you mind opening a new issue with a reproduction? The CMS checks the permissions here: https://github.com/netlify/netlify-cms/blob/0755f90142525d94158c1d112a5549e21eef77c2/packages/netlify-cms-backend-gitlab/src/API.ts#L176-L186.
It would be very helpful if you share the network traffic for the permissions request and the way you're setting group permissions.

Hi @erezrokah, thanks for the quick reply! Have opened a new issue. Hope it is clear :}