Gitlab Upgrade graphql and statistics now 403


I’ve just upgraded our on-premise Gitlab from version 13.12.1 to 13.12.2 on our Debian server. Everything looked OK in the shell, however on the frontend none of our projects will load and going to the admin system it says there’s an error loading statistics.

Looking at the browser Dev tools all calls to /api/graphql and /api/v4/application/statistics are returning 403 and therefore stopping later javascript calls to work.

Anyone have any ideas on how to fix this? I’ve tried different browsers and restarting the Gitlab service but to no avail…


This looks like it’s potentially down to something to do with the users…

Running on Firefox and hitting the admin site where it tries to load the statistics we got the error

403 Forbidden - Your password expired. Please access GitLab from a web browser to update your password.

So I tried updating my password, same problem. Created a brand new account and logged in as that and the issue doesn’t appear (for that user).

OK… Seem to have fixed this for my user.

In the DB there’s a field on the users table called password_expires_at and for my user this date was sometime in 2019. The new user created, this field was null.

Updating my user’s field to null fixed the issue for me.

So, as the date was very old, is this new version of Gitlab now checking this field?

Well, that will teach me not to read the release notes…

thanks mate. just a follow up how i have fixed it:

connect to local psql:

sudo -u gitlab-psql /opt/gitlab/embedded/bin/psql -h /var/opt/gitlab/postgresql -d gitlabhq_production

reset all users that are affected:

update users set password_expires_at = null where password_expires_at is not null;


Same happened to me :smile: . I was shortly panicking (running an instance with 800 users) as rollbacking would have meant a downtime. Fortunately only two users were affected.
This happens when you use LDAP for authentication but nonetheless as admin set a “local” password for the user. After that the user gets a mail about the password change. When they afterwards log in via LDAP, some stuff still works but everything graphql related returns a 403 and they are not able to push/pull anymore, even when using a PAT.

1 Like