Issue import from Jira shows issues imported by Project Owner all the time
HackerOne report #856915 by ashish_r_padelkar
on 2020-04-23:
Summary
Hello,
The issue imported from Jira by maintainers in project still shows that issues are imported by main project owner. This is a problem for a project owners/maintainers to really know who actually imported the issues from Jira as all the maintainers can impersonate project owner.
Steps to reproduce
- Setup integration with Jira in your project. This can be done by any project maintainer
- Login as one of the maintainer in the project and go to
https://gitlab.com/<Group>/<Project>/-/import/jira
- Import the issues from Jira. At this point, you will see that
Reporter
is shown as current logged in user while importing but once you complete the import and see the issue list, You see that all the issues are shown as created by main project owner.
What is the current bug behavior?
All the issues imported from Jira are shown as imported by project owner allowing other maintainers in project to impersonate owner in importing issues.
What is the expected correct behavior?
Correct maintainer username should be displayed for all the imported issues from Jira.
Output of checks
This bug happens on GitLab.com and omnibus GitLab Enterprise Edition 12.10.0-ee
Regards,
Ashish
Impact
Jira imported issues are shown as created by main project owner .