Guest user is able to create confidential issues in private project

HackerOne report #670322 by jr0ch17 on 2019-08-09, assigned to jmatos_bgtvf:

Hi,

Description

A user with the Guest role is able to create confidential issues in a private project even though the documentation says otherwise. You can view the permissions documentation here.


 

Steps to reproduce

In this PoC, we'll have User1 which is the admin of the private project and we'll have User2 which is a guest member of the private project.

1. As User1, create a private project and invite User2 as a member and give them Guest permissions.
   
   
2. As User2, browse to User1's private project's issues.
3. Create a new issue. You'll notice the checkbox to make the issue confidential is available while it appears it should not, as per documentation.
   
    

Here's a small video showing the issue.
GitLab_-_Guest_creating_confidential_issue.mov
 

Impact

I'm unsure of what the real impact is here but it appears there's some simple access control missing as the option to create confidential issues as a guest user in a private project should not be possible.

Let me know if you have any questions or require more details.

Thanks,
@JR0ch17

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screen_Shot_2019-08-09_at_2.13.38_AM.png
• Screen_Shot_2019-08-09_at_2.16.21_AM.png
• Screen_Shot_2019-08-09_at_2.27.43_AM.png
• Screen_Shot_2019-08-09_at_2.28.29_AM.png
• Screen_Shot_2019-08-09_at_2.29.06_AM.png
• GitLab_-_Guest_creating_confidential_issue.mov