User can comment on locked project issues
HackerOne report #463938 by flashdisk on 2018-12-17:
Hi,
Description: when project owner locks an issue on the project the commenting will be enabled only for project members but if a user commented on an issue before locking it, he can still comment on the issue through the notification email he got simply by replying to it.
Steps To Reproduce:
- create a public project with a public issue
- from another account comment on that issue and make sure you enabled the notification for that issue before commenting , in your email inbox you will see the comments
- from the project owner account lock the issue to team members only which from any other account that is not a project member you will see this:
- go back to the account user in step
2
and reply from your email inbox and you will see that your comment was added although you don't have the permessions to do so!
thanks!
Impact
User can comment on locked project issues using notification email
Attachments
Warning: Attachments received through HackerOne, please exercise caution!