Loss of control over my repos after installing 'GitLab Control' IOS app

I lost admin controls over all my private repos (can’t even invite collaborators). I installed an IOS app called ‘GitLab Control’ that prompted a permission request and created an all access API token. Then, my most basic admin control vanished from my web UI and the app doesn’t allow me to reverse it.

I’m trying to understand if the app is legit or if it hijacked my account.

What I know:

  • No users have admin, only the app does
  • The app only exposes a partial API key, not sure I can extract it (can’t long press to copy it)

The app has an option ‘Unlink Host’. Could it be that once I unlink the API, my user regains admin over its own repos? I’m concerned that if I unlink I’ll lose my last ability to get back control.

Hi, the app is legit, I used to use it once, but to be honest the app is pretty basic and isn’t anything special. Working Copy is far better. I stopped using it, when they disabled the API token access, and requiring users to use their password. I guess he enabled the API again.

However, it shouldn’t have done what you are experiencing. It certainly didn’t do this to me, but then I haven’t used it for like 2 years. I suggest you contact the developer of the app, but I did pay the amount to use the app when I had it. I think it was about GBP 5.00 when I purchased it. Not sure what it is now though. Seems a bit off though, restricting access to your repos, and then forcing you to pay to gain access again. Almost like ransomware if that is true.

Maybe it’s a limitation of the Rest or SCIM API. Otherwise it either intentionally or accidentally took my control away. I prefer to give the developer the benefit of the doubt though because the paid version is useful to an extent.

So I bought the full version because this was becoming a huge time sink and blocker (so 6$ are better). Now I got a bit more functionality.

Thanks @iwalker, agreed.

When you create an access token you can choose the amount of access rights it needs. If it got full API access, then it was full abilities to mess with everything. I haven’t tested, but I think read/write repositories would be enough, than full API.

1 Like

Yeah, I was under a deadline and granted the app permissions at login instead of generating keys. In hindsight I should’ve tested with another account and generated more limited keys. Btw, the app you suggested “Working Copy” looks really good. Testing it out. Just still don’t have owner to my repos on my main account so any help would be appreciated. Anyone have more ideas what else we can try?

Is this on your own Gitlab server? Or using gitlab.com? If using gitlab.com, then I suggest you contact the Gitlab Team here and explain the situation to get your access reset: Submit a request – GitLab, Inc.

If your own server, get your Gitlab Admin to reset it, and remove that access-token from your login so that app can no longer mess with your config.

1 Like

Hey, thanks a lot @iwalker for that link. Couldn’t find that page before. Hosting is on gitlab.com and currently just a free account. Was thinking of switching to paid so I can reach support but I’ll give this form a try.