Project Maintainer can update description of triggers created by other maintainers in project
HackerOne report #770043 by ashish_r_padelkar
on 2020-01-08, assigned to @jbroullon:
Summary
Hello,
The triggers created here at https://gitlab.com/<Group>/<Project>/-/settings/ci_cd
in Pipeline triggers
are editable only by maintainers who created it.
For eg. Project Maintainer1 created trigger is only editable by Maintainer1 and Maintainer2 is not allowed to edit the description of this trigger.
However, using API, it is possible to EDIT the description of this trigger by Maintainer2
Steps to reproduce
- Create a trigger using
Maintainer1
athttps://gitlab.com/<Group>/<Project>/-/settings/ci_cd
inPipeline triggers
- Login as
Maintainer2
and go tohttps://gitlab.com/<Group>/<Project>/-/settings/ci_cd
inPipeline triggers
and you will see that you dont have EDIT option to edit the trigger. - Now use below API to EDIT the trigger description
curl --request PUT --header "PRIVATE-TOKEN: <your_access_token>" --form description="my description" "https://gitlab.example.com/api/v4/projects/<ID>/triggers/<ID>"
Ref:https://docs.gitlab.com/ee/api/pipeline_triggers.html#update-a-project-trigger
Trigger ID can be obtain easily from the page using hover on delete button.
- Using above API will successfully change the description of trigger which is created by
Maintainer1
What is the current bug behavior?
The project maintainers can update triggers created by other maintainers in project
What is the expected correct behavior?
Update API should not work for other maintainers in project
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too!
Regards,
Ashish
Impact
The project maintainers can update the triggers created by other maintainers in same project. Note that there can be many maintainers in same projects but i have just given example of two for easy understanding.