Guests can see Contribution Analytics of group members when they are not members
HackerOne report #446435 by ashish_r_padelkar on 2018-11-17:
Summary: Hello,
As we know, when there is a project inside a group, you can add members at project level without adding them at group level.
When you become member of project, you implicitly become part of the group as i read here https://gitlab.com/gitlab-org/gitlab-ce/issues/39820
However, when Group is private, and if you give user a Guest
membership to Private Project
inside the private group
, they should not see Contribution Analytics
of group members at group level!!
Description:
Contribution Analytics
page should not be visible for guests anyways at it displays all the counts such as merge request , issues etc per user in a group!
Specifically in cases where user having explicit guest access to private project with in a private group, they should not see analytics from group level because they are not a member of the groups!
I understand that you want to give read only access to group to some features but i think analytics should not be visible in my opinion!
Steps To Reproduce:
- Create a
Private Project
underPrivate group
- Now add a
Guest
atPrivate Project
level . Note that he should have access at group level - When you login as Guest , you can see
Contribution Analytics
from group and all the analytics such as number of merge request, issues etc from members of the group who may be part of other private projects from the same group where you don't have any access!!
Regards, Ashish
Impact
Guest can see group's contribution analytics
Proposed solution
As per this comment
- We keep the sidebar visibility of the feature as before
- For the feature endpoint (json format),
- we throw a 403 if the user doesn't have access to the feature, regardless of showing promotions.
- we return data with a 200, otherwise
- For the feature page,
- if the user has access to the feature, we show the page just fine
- if the user doesn't have access, and promotions are off, we throw a 403
- if the user doesn't have access, and promotions are on, we show a promotional message on the page, not the actual data