Introduce setting to restrict visibility of Confluence (and other) Integrations
In the project settings, maintainers can restrict visibility of and access to certain parts of the project. There does not appear to currently be a way to change the visibility of and access to Confluence integrations (or other integrations) within GitLab.
The purpose of this issue is to track the effort related to adding such controls for the Confluence integration (and perhaps other integrations that it might make sense for).
Note: This originally came in as a HackerOne report but since it was determined that there is no actionable security vulnerability it has been changed to a feature request.
Original HackerOne Report Title: Confluence wiki visible even when the Wiki visibility has been set to Only Project Members
HackerOne report #1040211 by shells3c
on 2020-11-21, assigned to @ankelly:
Report
Summary
Even if you set the Wiki visibility to Only Project Members, anonymous users still can access the Confluence Wiki page which contains the Wiki link!
Steps to reproduce
- Set the Wiki visibility to Only Project Members at
https://gitlab.com/:user/:project/edit
- Now let's use the Confluence Workspace integration, by visiting
https://gitlab.com/:user/:project/-/settings/integrations
and add the Wiki link - After finished, visit this link from an incognito window:
https://gitlab.com/:user/:project/-/wikis/-/confluence
- You will able to view the wiki link, although the Wiki must be private from the general setting
What is the current bug behavior?
Able to access the Confluence Wiki from https://gitlab.com/:user/:project/-/wikis/-/confluence
What is the expected correct behavior?
You should block access to https://gitlab.com/:user/:project/-/wikis/*
Output of checks
This bug happens on GitLab.com
Impact
Unauthenticated users can access the Confluence Wiki page (with the Wiki link) although the owner wants it's to be private. From what Gitlab said:
>We are hard at work integrating Confluence more seamlessly into GitLab
This will be more impactful in the future