GitLab OAuth not setting the right permissions on RemoteRepository

[humitos]

If a user belongs to a group on GitLab and have admin access to a particular repository via that group, the RemoteRepository.admin is not properly set to True. This makes that repository to not being able to import by that user.

We are using 3 different API endpoints to sync RemoteRepository on GitLab:

In GitLabService.sync_repositories:

• {url}/api/v4/projects: to get all the projects the user has access to (docs)

Note that we exclude repositories to be imported if they belong to a different organization at this point

In GitLabService.sync_organizations:

• {url}/api/v4/groups: to get all the groups the user belongs to (docs)
• {url}/api/v4/groups/{id}/projects: to get all the projects for a particular group the user belongs to (docs

---

The main problem here is that the API response from /groups/{id}/projects is not the same than /projects. In particular the later comes with the permissions field that is key for us to know if the user is admin or not.

So, the first time that sync_repositories is called, we create the RemoteRepository properly for this repository but then when sync_organizations is called, we overwrite it with the new updated data (response without permissions) and link it to the RemoteOrganization. The next time this remote repository is updated via sync_repositories will be skipped as mentioned in the note.

The quickest solution is to make a new API call to get a single project with all its fields including permissions, hitting https://docs.gitlab.com/ee/api/projects.html#get-single-project for each item returned in {url}/api/v4/groups/{id}/projects,

readthedocs.org/readthedocs/oauth/services/gitlab.py

Lines 111 to 120 in 2d64328

	org_repos = self.paginate(
	'{url}/api/v4/groups/{id}/projects'.format(
	url=self.adapter.provider_base_url,
	id=org['id'],
	),
	per_page=100,
	archived=False,
	order_by='path',
	sort='asc',
	)

This will work, but we are adding extra calls to the API to re-fetch data that we already asked for while syncing repositories (before syncing organizations). We could find a way to share this data, but the code will more complex.

[saadmk11]

We can filter {url}/api/v4/groups/{id}/projects with min_access_level parameter. e.g. https://gitlab.com/api/v4/groups/{id}/projects/?min_access_level=40

This should only return projects where the user has at least maintainer level permission.

Ref: https://docs.gitlab.com/ee/api/groups.html#list-a-groups-projects
**Limit to projects where current user has at least this access level.

I think by doing this here the issue should be solved as we will import only those projects that the user has permission to.

readthedocs.org/readthedocs/oauth/services/gitlab.py

Lines 111 to 120 in 2d64328

	org_repos = self.paginate(
	'{url}/api/v4/groups/{id}/projects'.format(
	url=self.adapter.provider_base_url,
	id=org['id'],
	),
	per_page=100,
	archived=False,
	order_by='path',
	sort='asc',
	)

@humitos What do you think?

[humitos]

If we filter that response, will we still be importing projects where the user has <40 (for example, read access) for projects under these organizations?

We need to keep importing them, since they are shown in the list of "importable repositories" in the "Import Project" page with a message saying that you may need to ask for permissions to be able to import it.

[saadmk11]

If we filter that response, will we still be importing projects where the user has <40 (for example, read access) for projects under these organizations?

I don't think so, according to their documentation, I am not able to test it as I am not in any organization on GitLab :(

[stsewd]

#7753 was merged