Todos on designs are not removed after membership changes

HackerOne report #682748 by xanbanx on 2019-08-27:

Hi GitLab security team,

Summary

GitLab has the feature of design management, where developers can share and iterate on designs, which is part of an issue. On a design, developers can create notes, and by referencing other people, todos for them are created. However, when a member, who has access is removed, and does not have access to the project anymore, the associated todos for designs persist and are not removed.

I know that GitLab implemented a 1 hour grace period before todos are removed. However, here the todos remain even after this period.

Steps to reproduce

This requires a project/group which supports the design management feature.

1. Create a public group and inside a private project
2. Add a second member to with developer rights to the group, for now on denoted as user_b
3. In the private project create an issue and upload a design
4. On the design, create a note and mention user_b --> creates a todo fo user user_b
5. Remove user_b from the group
6. Wait for the one hour grace period for removing todos when the membership changes
7. As user_b, visit the todos and see that the todo for the design is still there and not yet removed

Impact

This gives users without access to the project still access to the designs todo.

What is the current bug behavior?

Todos on designs are note removed after the membership changes, even not after the grace period.

What is the expected correct behavior?

Todos on designs should be removed if the membership changes after the grace period.

Output of checks

This bug happens on GitLab.com

Best,
Xanbanx

Impact

See above.