Signed in users can see project milestones when it is set as project members only
HackerOne report #447992 by ashish_r_padelkar on 2018-11-21:
Summary: Hello,
When you have below settings for public projects, the issues
tab is not visible for other users with no project membership to this project. So it is expected that features like boards (which is a sub menu of issues) is also protected from other users.
However, any signed in user can see all lists that are part of a board in such projects!
Description:
The endpoint at https://gitlab.com/-/boards/<BoardID>/lists.json
returns a board's lists, even if issues are visible to project members only.
Steps To Reproduce:
- Set the public project with above settings shown in screen shot 1
- Now as other logged in user (who doesn't have project membership) navigate to this project.
- They will not see
issues
tab - Now guess the board ID and navigate to
https://gitlab.com/-/boards/<BoardID>/lists.json
- You will find all the board's lists!
Regards, Ashish
Impact
See all the lists of public projects when it is set as Project members only
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Links
dev.gitlab.org issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2798