Team permissions on private repos are not merged correctly #14799

New Issue

Open

opened 2025-11-02 11:23:17 -06:00 by GiteaMirror · 9 comments

GiteaMirror commented 2025-11-02 11:23:17 -06:00

Owner

Copy Link

Originally created by @KimonHoffmann on GitHub (Jul 24, 2025).

Description

In releases prior to 1.24.0 any user who is a member of multiple teams with permissions on private repositories received the maximum permissions from all teams.

Since upgrading to 1.24.3 these users are limited by the limited permissions instead.

Example:

• Team X: Write Access to PRs on all repos of an org
• Team Y: No Access to PRs on all repos of an org
• User A: Member of both X and Y

Effects:

• User A can not see or access PRs (404).
• User A is available as a reviewer on PRs in the dropdown list.
• Attempts to assign user A as a reviewer results in no action being taken with the following message in the log:

.../web/repo/pull_review.go:434:UpdatePullReviewRequest() [W] UpdatePullReviewRequest: refusing to add invalid review request for <User USER_ID:USER_NAME> to <Repository REPO_ID:ORG/REPO>#18: Error: Reviewer can't read [...]

The most similar issue I found is #33456, which is supposed to be fixed in 1.24.3, but still might be related.

Gitea Version

1.24.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

2.49.1

Operating System

Linux (amd64)

How are you running Gitea?

Prebuilt official OCI image

Database

SQLite

Originally created by @KimonHoffmann on GitHub (Jul 24, 2025). ### Description In releases prior to 1.24.0 any user who is a member of multiple teams with permissions on private repositories received the maximum permissions from all teams. Since upgrading to 1.24.3 these users are limited by the limited permissions instead. Example: * Team X: Write Access to PRs on all repos of an org * Team Y: No Access to PRs on all repos of an org * User A: Member of both X and Y Effects: * User A can not see or access PRs (404). * User A **is** available as a reviewer on PRs in the dropdown list. * Attempts to assign user A as a reviewer results in no action being taken with the following message in the log: ``` .../web/repo/pull_review.go:434:UpdatePullReviewRequest() [W] UpdatePullReviewRequest: refusing to add invalid review request for <User USER_ID:USER_NAME> to <Repository REPO_ID:ORG/REPO>#18: Error: Reviewer can't read [...] ``` The most similar issue I found is #33456, which is supposed to be fixed in 1.24.3, but still might be related. ### Gitea Version 1.24.3 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version 2.49.1 ### Operating System Linux (amd64) ### How are you running Gitea? Prebuilt official OCI image ### Database SQLite

GiteaMirror added the type/bugissue/workaround labels 2025-11-02 11:23:17 -06:00

GiteaMirror commented 2025-11-02 11:23:18 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jul 25, 2025):

Team X: Write Access to PRs on all repos of an org

Can you try to edit Team X and save again (even without change)?

@wxiaoguang commented on GitHub (Jul 25, 2025): > Team X: Write Access to PRs on all repos of an org Can you try to edit Team X and save again (even without change)?

GiteaMirror commented 2025-11-02 11:23:18 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jul 25, 2025):

Unable to reproduce:

@wxiaoguang commented on GitHub (Jul 25, 2025): Unable to reproduce: <img width="1990" height="1528" alt="Image" src="https://github.com/user-attachments/assets/ec74c406-1ba3-4b79-915e-a3c4c99285ef" /> <img width="1876" height="1560" alt="Image" src="https://github.com/user-attachments/assets/f15131a1-d1fc-42d4-8762-f1c44b9bda39" /> <img width="1594" height="1194" alt="Image" src="https://github.com/user-attachments/assets/9d53169a-935f-4a13-9dba-4700b082927e" />

GiteaMirror commented 2025-11-02 11:23:18 -06:00

Author

Owner

Copy Link

@KimonHoffmann commented on GitHub (Jul 25, 2025):

I just tried the following:

1. Add a new user to both teams
2. Verify the reported behavior
3. Editied Team Y (not X), without making any changes
4. Try to re-verify the reported behavior, without success

So Step 3 resolved the issue. Sorry for editing Team Y instead of X, I got the roles mixed up when following the instructions.

@KimonHoffmann commented on GitHub (Jul 25, 2025): I just tried the following: 1. Add a new user to both teams 2. Verify the reported behavior 3. Editied Team **Y** (not X), without making any changes 4. Try to re-verify the reported behavior, without success So Step 3 resolved the issue. Sorry for editing Team Y instead of X, I got the roles mixed up when following the instructions.

GiteaMirror commented 2025-11-02 11:23:18 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jul 25, 2025):

In old Gitea, the team permission were messed up, some members got unrelated permissions, 1.24 corrected the behavior, but some "teams" need to be updated.

So I think the issue could be marked as "resolved"?

@wxiaoguang commented on GitHub (Jul 25, 2025): In old Gitea, the team permission were messed up, some members got unrelated permissions, 1.24 corrected the behavior, but some "teams" need to be updated. So I think the issue could be marked as "resolved"?

GiteaMirror commented 2025-11-02 11:23:19 -06:00

Author

Owner

Copy Link

@KimonHoffmann commented on GitHub (Jul 25, 2025):

Yes, in this specific case it has been resolved, and I know what I need to do next time I encounter it.

But since it's not clear which teams are affected is there maybe a possibility to add something to doctor or the DB migration step to fix these messed up team permissions proactively?

@KimonHoffmann commented on GitHub (Jul 25, 2025): Yes, in this specific case it has been resolved, and I know what I need to do next time I encounter it. But since it's not clear which teams are affected is there maybe a possibility to add something to `doctor` or the DB migration step to fix these messed up team permissions proactively?

GiteaMirror commented 2025-11-02 11:23:19 -06:00

Author

Owner

Copy Link

@GiteaBot commented on GitHub (Aug 24, 2025):

We close issues that need feedback from the author if there were no new comments for a month. 🍵

@GiteaBot commented on GitHub (Aug 24, 2025): We close issues that need feedback from the author if there were no new comments for a month. :tea:

GiteaMirror commented 2025-11-02 11:23:19 -06:00

Author

Owner

Copy Link

@KimonHoffmann commented on GitHub (Aug 24, 2025):

As far as I can tell there is no feedback outstanding, and the tag is left over by error.

@KimonHoffmann commented on GitHub (Aug 24, 2025): As far as I can tell there is no feedback outstanding, and the tag is left over by error.

GiteaMirror commented 2025-11-02 11:23:19 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Aug 24, 2025):

Reopened.

(But maybe this one will be just like other 2000+ pending&inactive issues if nobody would touch it 😅 )

@wxiaoguang commented on GitHub (Aug 24, 2025): Reopened. (But maybe this one will be just like other 2000+ pending&inactive issues if nobody would touch it 😅 )

GiteaMirror commented 2025-11-02 11:23:20 -06:00

Author

Owner

Copy Link

@lynxplay commented on GitHub (Sep 16, 2025):

I ran into something similar for collaborators on private repos, https://github.com/go-gitea/gitea/pull/35501 fixed that for me, so potentially related?

@lynxplay commented on GitHub (Sep 16, 2025): I ran into something *similar* for collaborators on private repos, https://github.com/go-gitea/gitea/pull/35501 fixed that for me, so potentially related?

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label issue/workaround type/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#14799