Skip to content

Project reporters(and above) can see confidential EPIC attached to confidential issues

HackerOne report #919468 by ashish_r_padelkar on 2020-07-09, assigned to @cmaxim:

Summary

Hello,

The feature allows EPIC to be confidential which can only contain confidential issues.

When confidential issue is attached to confidential issues, the EPIC title is visible to Reporters of the projects which are given permissions only at project level.

Steps to reproduce

  1. Create a group and confidential EPIC.
  2. Create a project and confidential Issue.
  3. Attach a confidential EPIC to confidential issue.
  4. Give user a reporter access only at Project level.
  5. Directly visit the confidential issue and you should see a EPIC title which is confidential. This title shouldn't be visible because user doesn't have access at group level directly.

What is the current bug behavior?

Confidential EPIC titles are visible to users having direct access at project level (reporters and above) without having access at group level.

What is the expected correct behavior?

EPIC shouldn't be visible to the users without having access at group level (reporters and above)

Output of checks

This bug happens on GitLab.com 13.2.0-pre 2ebd325ab13

Regards,
Ashish

Impact

Confidential EPIC titles visible attached to confidential issues for project members (reporters and above)