Group Maintainers can edit group runners
HackerOne report #566515 by ashish_r_padelkar
on 2019-05-04, assigned to estrike
:
Summary
Hello,
For group maintainers, the settings page isn't available and so are group runners creation. As per the documentation i see ,to create group runners, a group maintainer permissions is enough https://docs.gitlab.com/ee/ci/runners/#registering-a-group-runner
.
However, I see you decided to probably not allow to create group runners for maintainer recently if i see here https://gitlab.com/gitlab-org/gitlab-ce/issues/56129#note_145276160
,as you may be updating the document soon.
But it is still possible for Group Maintainers to update the existing group runners.!
Steps to reproduce
-
As a group maintainer, you wont see
https://gitlab.com/groups/<GroupName>/-/settings/ci_cd
-
Now navigate to any project inside this group and you will see a group runner at
https://gitlab.com/<GroupName>/<ProjectName>/settings/ci_cd
but you cant see the full token nor you can edit it! You can see the Runner ID though! -
Copy this Runner ID and Now you can just navigate to
https://gitlab.com/groups/<GroupName>/-/runners/<RunnerID>/edit
directly and you will see the full details of the group runner and you can even EDIT and SAVE!
What is the current bug behavior?
Group Maintainers are allowed to EDIT group runners which doesnt seem correct from UI point of view and specially considering the latest changes of not allowing Maintainers to see group CI/CD
What is the expected correct behavior?
Only Group owners should see and add/update group runners
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too!
Regards,
Ashish
Impact
Group Maintainers can edit group runners