Get list of board names of public projects when issues are set as project member only (API)
HackerOne report #449563 by ashish_r_padelkar on 2018-11-25:
Summary: Hello,
When issues of public projects are set as Project Members Only
, the issue menu is not visible for public!
However, it is still possible for anyone to get names of boards and its tags etc which should not happen as board is a sub menu of issues!
Description: The following API endpoint is responsible for getting list of all issue board names
curl --header "PRIVATE-TOKEN: [REDACTED]" https://gitlab.example.com/api/v4/projects/<ProjectID>/boards
https://docs.gitlab.com/ee/api/boards.html
This shows board names even if issues are set as project members only!
Steps To Reproduce:
- Set issues as
Project Member Only
in project settings for public project - When you navigate to project, you wont see
Issues
menu and its sub menus - Now run the following curl to obtain the list of boards
curl --header "PRIVATE-TOKEN: [REDACTED]" https://gitlab.example.com/api/v4/projects/<ProjectID>/boards`
Regards, Ashish
Impact
Get list of board names even when project issues are set as Project Members Only
Edited by James Ritchey