Project reporters(and above) can see confidential EPIC attached to confidential issues
HackerOne report #919468 by ashish_r_padelkar
on 2020-07-09, assigned to @cmaxim:
Summary
Hello,
The feature allows EPIC to be confidential which can only contain confidential issues.
When confidential issue is attached to confidential issues, the EPIC title is visible to Reporters of the projects which are given permissions only at project level.
Steps to reproduce
- Create a group and confidential EPIC.
- Create a project and confidential Issue.
- Attach a confidential EPIC to confidential issue.
- Give user a reporter access only at Project level.
- Directly visit the confidential issue and you should see a EPIC title which is confidential. This title shouldn't be visible because user doesn't have access at group level directly.
What is the current bug behavior?
Confidential EPIC titles are visible to users having direct access at project level (reporters and above) without having access at group level.
What is the expected correct behavior?
EPIC shouldn't be visible to the users without having access at group level (reporters and above)
Output of checks
This bug happens on GitLab.com 13.2.0-pre 2ebd325ab13
Regards,
Ashish
Impact
Confidential EPIC titles visible attached to confidential issues for project members (reporters and above)