Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #227820
Closed
Open
Issue created Jul 10, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

Project reporters(and above) can see confidential EPIC attached to confidential issues

HackerOne report #919468 by ashish_r_padelkar on 2020-07-09, assigned to @cmaxim:

Summary

Hello,

The feature allows EPIC to be confidential which can only contain confidential issues.

When confidential issue is attached to confidential issues, the EPIC title is visible to Reporters of the projects which are given permissions only at project level.

Steps to reproduce

  1. Create a group and confidential EPIC.
  2. Create a project and confidential Issue.
  3. Attach a confidential EPIC to confidential issue.
  4. Give user a reporter access only at Project level.
  5. Directly visit the confidential issue and you should see a EPIC title which is confidential. This title shouldn't be visible because user doesn't have access at group level directly.

What is the current bug behavior?

Confidential EPIC titles are visible to users having direct access at project level (reporters and above) without having access at group level.

What is the expected correct behavior?

EPIC shouldn't be visible to the users without having access at group level (reporters and above)

Output of checks

This bug happens on GitLab.com 13.2.0-pre 2ebd325ab13

Regards,
Ashish

Impact

Confidential EPIC titles visible attached to confidential issues for project members (reporters and above)

Assignee
Assign to
Time tracking