Guest can see private group epic
HackerOne report #446652 by ashish_r_padelkar on 2018-11-18:
Summary:
Hello,
As per documentation here https://gitlab.com/help/user/permissions, A Guest
should not see Epic
from private groups.
Description:
When user has Guest
role, as per above group permission documentation, they should not see Epic
if the group is private.
However, Guest
can see the epic of private groups at https://gitlab.com/groups/<PrivateGroup>/-/epics
Steps To Reproduce:
- As a guest member of private group, just visit the direct url
https://gitlab.com/groups/<PrivateGroup>/-/epics
, you will see all Epic of the group
Regards, Ashish
Impact
-
Guest member of the private group can see
Epic
when they should not as per documentation -
A member of private project within a private group but doesnt have explicit access at group level can still see the epic
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Edited by Dennis Appelt