Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #336169
Closed
Open
Issue created Jul 14, 2021 by GitLab SecurityBot@gitlab-securitybotReporter

Email invited members can join projects even after the member lock has been enabled

HackerOne report #1256967 by justas_b on 2021-07-10, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

NOTE! Thanks for submitting a report! Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!

Summary

Email invites don't get revoked after the Member lock option has been turned on at group settings. More info: https://docs.gitlab.com/ee/user/group/#prevent-members-from-being-added-to-a-group

Steps to reproduce
  1. Create a group
  2. Create a project
  3. Send an invite to an email you own but haven't yet created a Gitlab account with

bandicam_2021-07-10_18-29-56-026.jpg

  1. Go to Settings -> General -> Permissions and turn on the Member lock option

bandicam_2021-07-10_18-29-34-279.jpg

  1. Create a Gitlab account with the email you've sent an invitation to
  2. When the account is created, it joins the project automatically

bandicam_2021-07-10_18-35-39-621.jpg

bandicam_2021-07-10_18-36-02-456.jpg

Examples

(If the bug is project related, please create an example project and export it using the project export feature)

(If you are using an older version of GitLab, this will also help determine whether the bug has been fixed in a more recent version)

(If the bug can be reproduced on GitLab.com without violating the Rules of Engagement as outlined in the program policy, please provide the full path to the project.)

What is the current bug behavior?

New members can join projects when member lock is enabled

What is the expected correct behavior?

All email invites should be revoked when member lock is enabled

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)

(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production)

Impact

New members can join projects when the member lock option is enabled

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • bandicam_2021-07-10_18-29-34-279.jpg
  • bandicam_2021-07-10_18-29-56-026.jpg
  • bandicam_2021-07-10_18-35-39-621.jpg
  • bandicam_2021-07-10_18-36-02-456.jpg
Edited Mar 23, 2022 by Rohit Shambhuni
Assignee
Assign to
Time tracking