Private group EPIC info visible for former sub group owners

HackerOne report #666892 by ashish_r_padelkar on 2019-08-03, assigned to jmatos_bgtvf:

Dev issue: https://dev.gitlab.org/gitlab/gitlab-ee/issues/396 Security issue: https://gitlab.com/gitlab-org/security/gitlab/issues/30

Summary

Hello,

Sub group EPICs can be added as child EPIC to parent group EPIC. When a sub group EPIC contains the ancestor EPICs, they are visible on right side menu.

The problem with this is, This section is still available when sub group owner moves the sub group to their own private group.

Steps to reproduce

1. Create a private group named MainGroup with only User1 as owner and no other members
2. Create a sub group named SubGroup inside it with additional owner User2
3. Create EPIC in both MainGroup and SubGroup too
4. Put SubGroup EPIC as Child EPIC to MainGroup EPIC.
5. As User2 is owner of SubGroup , he can transfer this group to his own group. So, User2 transfers this group to his own group.
6. By doing this, User2 doesnt have any access to Private group MainGroup of User1
7. However, when User2 visits the EPIC of the SubGroup (in newly moved group), he still see the Ancestor EPIC from User1 Private MainGroup.

8. So if User1 changes the names of EPIC in MainGroup. , User2 Still able to see the new names of such EPICs. Also User1 can not do anything about this as he cant see EPIC added from SubGroup in his MainGroup EPIC.

What is the current bug behavior?

New EPIC names visible to former owner of sub group if group is transferred by owner

What is the expected correct behavior?

EPIC info should not be available in such scenarios

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too!

Regards,
Ashish

Impact

New EPIC titles are available to former owners of sub group if they themselves transfers the group

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2019-08-04_at_01.02.07.png