diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-20 06:09:59 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-20 06:09:59 +0000 |
| commit | ba2e4183d9b07237657595821cd06689667e6762 (patch) | |
| tree | 86a79db72443845747291b4e567888f4b6148a93 /doc/user/project/members/index.md | |
| parent | e83144f0eef1a161b69d2b991841674978014283 (diff) | |
| download | gitlab-ce-ba2e4183d9b07237657595821cd06689667e6762.tar.gz | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/user/project/members/index.md')
| -rw-r--r-- | doc/user/project/members/index.md | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/doc/user/project/members/index.md b/doc/user/project/members/index.md index a8f1b634127..61181f157f4 100644 --- a/doc/user/project/members/index.md +++ b/doc/user/project/members/index.md @@ -187,6 +187,21 @@ To remove a member from a project: [from being forked outside their group](../../group/access_and_permissions.md#prevent-project-forking-outside-group). 1. Select **Remove member**. +## Ensure removed users cannot invite themselves back + +Malicious users with the Maintainer or Owner role could exploit a race condition that allows +them to invite themselves back to a group or project that a GitLab administrator has removed them from. + +To avoid this problem, GitLab administrators can: + +- Remove the malicious user session from the [GitLab Rails console](../../../administration/operations/rails_console.md). +- Impersonate the malicious user to: + - Remove the user from the project. + - Log the user out of GitLab. +- Block the malicious user account. +- Remove the malicious user account. +- Change the password for the malicious user account. + ## Filter and sort members > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/21727) in GitLab 12.6. |