locked user has read/write access to repository of non-public project

[tomhub]

I have added test-user, included in non-public project which is hosting git via https, then I locked test-user, but I can still clone and push repository using test-user link and credentials. Is this expected?

[tomhub]

Further investigation:
So if I lock user, and go to redmine git hosting -> rescue and check all 3 boxes, and run the rescue: access is removed from locked user. However, if unlock user, access is not granted unless, I go to rescue and check all 3 boxes and run rescue again.

[alexandermeindl]

Hi @tomhub

thanks for reporting this. I can confirm this bug. This should be fixed in master with my last commits.

[alexandermeindl]

Some notes to the bug: If you locked a user with existing bug, has access to repositories (after using this bug fix, too). You have to relock the user (unlock and lock he/she again) or resync your ssh keys.

[tomhub]

I just tested: locked user: user lost access to redmine (session expired), but user can still clone repo from non-public project.

Environment:
  Redmine version                4.2.2.stable
  Ruby version                   2.6.8-p205 (2021-07-07) [x86_64-linux]
  Rails version                  5.2.6
  Environment                    production
  Database adapter               Mysql2
  Mailer queue                   ActiveJob::QueueAdapters::AsyncAdapter
  Mailer delivery                smtp
SCM:
  Git                            2.33.0
  Filesystem                     
  Xitolite                       2.33.0
Redmine plugins:
  additionals                    3.0.4-master
  redmine_auditlog               0.0.5
  redmine_git_hosting            5.0.1-master
  redmine_privacy_terms          1.0.3
  redmine_spent_time             4.1.0

While locking and unlocking user, git_hosting.log produces these messages. Which is strange, as redmine can control gitolite-admin repository.

git_hosting.log <==
2021-09-27 17:53:11 +0100 [INFO] Status of 'xxxx' has changed, update projects
2021-09-27 17:53:11 +0100 [INFO] Create Gitolite Admin directory : '/run/redmine-gitolite/gitolite/gitolite-admin.git'
2021-09-27 17:53:11 +0100 [ERROR] Invalid Gitolite Admin SSH Keys
2021-09-27 17:53:11 +0100 [ERROR] Failed to retrieve list of SSH authentication methods: Failed getting response

Further investigation revealed (systemctl status sshd):

sshd[127]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

Since I prefer to keep with new features, decided not to update sshd config with RSA, but rather update gitolite-admin key with Ed25519. Quick gitolite crash course showed how to update keys in the server. After this, I tested again - locking/unlocking user: sshd errors gone, however locked can still clone repository.

Note, my gitolite repos are only accessible through https, so I did not see any issues via sshd.

Another note: ssh or https access has no difference: locked user can clone and push changes.