A non-member to a public project can update issues if the 'all issues' checkbox is checked
Gitlab allows users to make updates to a project only if the user is a member of the project. The update operations a user can perform (if the user is a member of the project) include:
- Assigning a label/milestone to an individual issue or to all issues of the project ( by checking the all issue dropdown) from the search/list issues page
- Closing or Editing an open issue
- Reopening a closed issue
Currently however, there is a bug in the application whereby a non-member visitor to a public project (e.g. https://gitlab.com/gitlab-org/gitlab-ce) can update issues of the project if the 'all issues' checkbox is checked on the search/list issues page of that project (https://gitlab.com/gitlab-org/gitlab-ce/issues). As a non-member user to this public project, if I try to update a single issue from the search/list issues page (by trying to toggle the issue checkbox), then that action is correctly not permitted by the application. HOWEVER, IF I SELECT ALL PROJECT ISSUES BY CHECKING THE 'ALL ISSUES' CHECKBOX ON THE PAGE, THEN I HAVE ACCESS TO THE UPDATE PROJECT BUTTON ALONG WITH THE ASSIGN MILESTONE,ASSIGN STATUS AND ASSIGN LABEL FIELDS.