Related merge requests visible despite Only Project Members settings
HackerOne report #471843 by ashish_r_padelkar
on 2018-12-25:
Summary: Hello,
When public project has below settings, merge requests are not visible publicly.
Description: However, if the commit has related merge requests, they are visible in commits publicly at
https://gitlab.com/<UserName>/<PublicProject>/commit/<CommitID>/merge_requests.json
Steps To Reproduce:
- Create a public project with settings shown in screen shot above
- Any user who visits this project, they wont see merge request link
- Now go to any commit detail page
- You will see related merge requests (if any) with its title
- You can also check if there are any merge requests at
https://gitlab.com/<UserName>/<PublicProject>/commit/<CommitID>/merge_requests.json
Regards, Ashish
Impact
Related merge requests visible despite Only project members settings in public project
Attachments
Warning: Attachments received through HackerOne, please exercise caution!