Signed in users can see project milestones when it is set as project members only
HackerOne report #447992 by ashish_r_padelkar on 2018-11-21:
When you have below settings for public projects, the
issues tab is not visible for other users with no project membership to this project. So it is expected that features like boards (which is a sub menu of issues) is also protected from other users.
However, any signed in user can see all lists that are part of a board in such projects!
The endpoint at
https://gitlab.com/-/boards/<BoardID>/lists.json returns a board's lists, even if issues are visible to project members only.
Steps To Reproduce:
- Set the public project with above settings shown in screen shot 1
- Now as other logged in user (who doesn't have project membership) navigate to this project.
- They will not see
- Now guess the board ID and navigate to
- You will find all the board's lists!
See all the lists of public projects when it is set as Project members only
Warning: Attachments received through HackerOne, please exercise caution!
dev.gitlab.org issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2798