Reporter can do all the functions on issue boards
HackerOne report #529944 by ashish_r_padelkar
on 2019-04-06, assigned to jritchey
:
Summary
Hello,
As per documentation here https://gitlab.com/help/user/project/issue_board.md#permissions
Only Developers and up can use all the functionality of the Issue Board, that is, create or delete lists and drag issues from one list to another.
This is not true. Reporters
can do the same which is lower permissions than Developers
!
Steps to reproduce
-
As a reporter in any public project, navigate to
https://gitlab.com/<UserName>/<ProjectName>/boards/<ID>
. -
You can do all the functions such as move the issue from one list to another, create new boards etc
What is the current bug behavior?
Reporters can perform all the action which they shouldnt
What is the expected correct behavior?
Only Developers and up can use all the functionality of the Issue Board, that is, create or delete lists and drag issues from one list to another.
Output of checks
This bug happens on GitLab.com and probably on omnibus installations too
Regards,
Ashish
Impact
Reporters can perform all the action which they shouldnt as per documentation