Skip to content

Signed in users can see project milestones when it is set as project members only

HackerOne report #447992 by ashish_r_padelkar on 2018-11-21:

Summary: Hello,

When you have below settings for public projects, the issues tab is not visible for other users with no project membership to this project. So it is expected that features like boards (which is a sub menu of issues) is also protected from other users.

Screen shot 1 Screenshot_2018-11-21_at_13.24.41.png

However, any signed in user can see all lists that are part of a board in such projects!

Description: The endpoint at https://gitlab.com/-/boards/<BoardID>/lists.json returns a board's lists, even if issues are visible to project members only.

Screenshot_2018-11-21_at_13.26.51.png

Steps To Reproduce:

  1. Set the public project with above settings shown in screen shot 1
  2. Now as other logged in user (who doesn't have project membership) navigate to this project.
  3. They will not see issues tab
  4. Now guess the board ID and navigate to https://gitlab.com/-/boards/<BoardID>/lists.json
  5. You will find all the board's lists!

Regards, Ashish

Impact

See all the lists of public projects when it is set as Project members only

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Links

dev.gitlab.org issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2798

Edited by Heinrich Lee Yu