Analytics visible to non member users despite `Only Project Members`
HackerOne report #1064645 by ashish_r_padelkar on 2020-12-22, assigned to @dcouture:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
When you set Analytics in public project as Only Project Members, non members should not see the analytics pages.However, they can still see the pages if they directly visit the Analytics URLs.
Steps to reproduce
- Create a public project and set
AnalyticsasOnly Project Members.
- Login as non member and navigate to this public project. You wont see Analytics menu as expected.
- Now use these direct URLs and you will be able to see the analytics
/-/graphs/master/charts
insights/#/issues
-/analytics/code_reviews
etc
What is the current bug behavior?
Analytics Pages still visible to non members in public project despite setting as Only Project Members
What is the expected correct behavior?
Analytics pages should not be accessible to non members when such settings are in place.
Output of checks
This bug happens on GitLab.com GitLab Enterprise Edition 13.8.0-pre 2fb64612ef2
Regards,
Ashish
Impact
Analytics pages visible to non members despite setting as Only Project Members
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: