Skip to content
GitLab Next
Closed
Created by M. Hasbini@0xbsecContributor

User is able to bypass project issues permissions to create new issues from the api

Summary

User is able to bypass project issues permissions to create new issues from the api.

Steps to reproduce

  • Disable project issues permissions or limit it to Only team members.
  • Create a new user that isn't in the project group, and generate a new token for the api.
  • curl --request POST --header "PRIVATE-TOKEN: ..." "http://localhost:3000/api/v4/projects/1/issues?title=test"

What is the current bug behavior?

Create new issue.

What is the expected correct behavior?

Not to create an issue.

I'm on master @ 3d1cade1.