Non- members can resolve/unresolved discussions from public projects

HackerOne report #578057 by ashish_r_padelkar on 2019-05-12, assigned to estrike:

Summary

Hello,

As per this article https://docs.gitlab.com/ee/user/discussions/#resolvable-comments-and-discussions ,

They can then be individually resolved by anyone with at least Developer access to the project or by the author of the change being reviewed.

This is true and they can resolve/unresolved all discussions individually. However, the user with no permissions to public projects can resolve/unresolved their own reply too!.

The problem with this is , if all the other comments/replies from the discussion thread is resolved , non members can simply change the whole discussions status to resolve/unresolved by simply posting a reply on discussions!

Steps to reproduce

1. Create any discussion thread in merge difference on public projects merge requests.
2. Now mark all the replies from this thread to resolved. This will eventually mark the discussion thread as Resolved too!

3. Now as any non member, simply post a reply on this thread. The reply will automatically posted as Resolved as discussion is resolved already!

4. However, he can now just use this resolve/unresolved button to change the status of his own reply. Just click on green check

5. On changing the status of his own reply, the whole discussion threads status changed as well! and the thread appears like below and resolved by username who is not a member of the project!

What is the current bug behavior?

Non- members can resolve/unresolved discussions from public projects

What is the expected correct behavior?

Only developer or author of the change should be allowed to change the statuses as mentioned in the article

Output of checks

This bug happens on GitLab.com and should also happen on omnibus installations too!

Suggested Fix

Guest/ reporter/non members should-not be allowed to resolve their own replies Also

Regards,
Ashish

Impact

Non members can resolve/unresolved discussions from public projects

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2019-05-12_at_18.13.46.png
• Screenshot_2019-05-12_at_18.16.09.png
• Screenshot_2019-05-12_at_18.16.54.png