Documentation Change: `Project Maintainer` is able to rename the project and Change path of the project
Description
The HackerOne report below came in to let us know that a Project Maintainer is able to rename a project, despite the documentation indicating otherwise. I believe this is a situation where we need to update the docs.
This documentation indicates that a Maintainer should not be able to rename a project:
However, this section of the documentation indicates:
Only project maintainers and administrators have the permissions to rename a repository.
Additionally, this section says:
Only project maintainers and administrators have the permissions to access project settings.
Fix
Update the permissions table to indicate that a Maintainer can rename projects
Original HackerOne Report below:
HackerOne report #1133485 by sp4rrow
on 2021-03-23, assigned to GitLab Team:
Report
Summary
A Project Member with Maintainer permission is able to rename the project and Change path of the project
Steps to reproduce
(1. Create a test account user A on gitlab.com)
(2. Create a test group(testh11) and add another user B as a maintainer)
(3. now create a test project(testkk) in the group)
(4. go to User B account and go to https://gitlab.com/testh11/testkk/edit)
(5. User B can rename the project and also update the path of the project)
as per the permissions stated on https://docs.gitlab.com/ee/user/permissions.html
it clearly says Maintainer is not allowed to Rename project.
Impact
a malicious user who is maintainer is allowed to Rename project and also update the path of the project which ideally he should not be allowed to.
(Summarize the impact on users)
What is the current bug behavior?
a malicious user who is maintainer is allowed to Rename project and also update the path of the project which ideally he should not be allowed to
What is the expected correct behavior?
as per the permissions stated on https://docs.gitlab.com/ee/user/permissions.html
it clearly says Maintainer is not allowed to Rename project.
Impact
a malicious user who is maintainer is allowed to Rename project and also update the path of the project which ideally he should not be allowed to, and owner would follow the documentation mentioned in gitlab.com however the roles permissions are not working as expected.
How To Reproduce
Please add reproducibility information to this section: