Get list of board names of public projects when issues are set as project member only (API)
HackerOne report #449563 by ashish_r_padelkar on 2018-11-25:
When issues of public projects are set as
Project Members Only , the issue menu is not visible for public!
However, it is still possible for anyone to get names of boards and its tags etc which should not happen as board is a sub menu of issues!
Description: The following API endpoint is responsible for getting list of all issue board names
curl --header "PRIVATE-TOKEN: [REDACTED]" https://gitlab.example.com/api/v4/projects/<ProjectID>/boards
This shows board names even if issues are set as project members only!
Steps To Reproduce:
- Set issues as
Project Member Onlyin project settings for public project
- When you navigate to project, you wont see
Issuesmenu and its sub menus
- Now run the following curl to obtain the list of boards
curl --header "PRIVATE-TOKEN: [REDACTED]" https://gitlab.example.com/api/v4/projects/<ProjectID>/boards`
Get list of board names even when project issues are set as
Project Members Only