Guests can see Contribution Analytics of group members when they are not members
HackerOne report #446435 by ashish_r_padelkar on 2018-11-17:
As we know, when there is a project inside a group, you can add members at project level without adding them at group level.
When you become member of project, you implicitly become part of the group as i read here
However, when Group is private, and if you give user a
Guest membership to
Private Project inside the
private group , they should not see
Contribution Analytics of group members at group level!!
Contribution Analytics page should not be visible for guests anyways at it displays all the counts such as merge request , issues etc per user in a group!
Specifically in cases where user having explicit guest access to private project with in a private group, they should not see analytics from group level because they are not a member of the groups!
I understand that you want to give read only access to group to some features but i think analytics should not be visible in my opinion!
Steps To Reproduce:
- Create a
- Now add a
Private Projectlevel . Note that he should have access at group level
- When you login as Guest , you can see
Contribution Analyticsfrom group and all the analytics such as number of merge request, issues etc from members of the group who may be part of other private projects from the same group where you don't have any access!!
Guest can see group's contribution analytics