Skip to content

Documentation Change: `Project Maintainer` is able to rename the project and Change path of the project

Description

The HackerOne report below came in to let us know that a Project Maintainer is able to rename a project, despite the documentation indicating otherwise. I believe this is a situation where we need to update the docs.

This documentation indicates that a Maintainer should not be able to rename a project:

Screen_Shot_2021-04-09_at_10.40.20_AM

However, this section of the documentation indicates:

Only project maintainers and administrators have the permissions to rename a repository.

Additionally, this section says:

Only project maintainers and administrators have the permissions to access project settings.

Fix

Update the permissions table to indicate that a Maintainer can rename projects

Original HackerOne Report below:

HackerOne report #1133485 by sp4rrow on 2021-03-23, assigned to GitLab Team:

Report | How To Reproduce

Report

Summary

A Project Member with Maintainer permission is able to rename the project and Change path of the project

Steps to reproduce

(1. Create a test account user A on gitlab.com)
(2. Create a test group(testh11) and add another user B as a maintainer)
(3. now create a test project(testkk) in the group)
(4. go to User B account and go to https://gitlab.com/testh11/testkk/edit)
(5. User B can rename the project and also update the path of the project)

as per the permissions stated on https://docs.gitlab.com/ee/user/permissions.html
it clearly says Maintainer is not allowed to Rename project.

Impact

a malicious user who is maintainer is allowed to Rename project and also update the path of the project which ideally he should not be allowed to.
(Summarize the impact on users)

What is the current bug behavior?

a malicious user who is maintainer is allowed to Rename project and also update the path of the project which ideally he should not be allowed to

What is the expected correct behavior?

as per the permissions stated on https://docs.gitlab.com/ee/user/permissions.html
it clearly says Maintainer is not allowed to Rename project.

Impact

a malicious user who is maintainer is allowed to Rename project and also update the path of the project which ideally he should not be allowed to, and owner would follow the documentation mentioned in gitlab.com however the roles permissions are not working as expected.

How To Reproduce

Please add reproducibility information to this section:

Edited by Andrew Kelly