Skip to content

Email invited members can join projects even after the member lock has been enabled

HackerOne report #1256967 by justas_b on 2021-07-10, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

NOTE! Thanks for submitting a report! Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!

Summary

Email invites don't get revoked after the Member lock option has been turned on at group settings. More info: https://docs.gitlab.com/ee/user/group/#prevent-members-from-being-added-to-a-group

Steps to reproduce
  1. Create a group
  2. Create a project
  3. Send an invite to an email you own but haven't yet created a Gitlab account with

bandicam_2021-07-10_18-29-56-026.jpg

  1. Go to Settings -> General -> Permissions and turn on the Member lock option

bandicam_2021-07-10_18-29-34-279.jpg

  1. Create a Gitlab account with the email you've sent an invitation to
  2. When the account is created, it joins the project automatically

bandicam_2021-07-10_18-35-39-621.jpg

bandicam_2021-07-10_18-36-02-456.jpg

Examples

(If the bug is project related, please create an example project and export it using the project export feature)

(If you are using an older version of GitLab, this will also help determine whether the bug has been fixed in a more recent version)

(If the bug can be reproduced on GitLab.com without violating the Rules of Engagement as outlined in the program policy, please provide the full path to the project.)

What is the current bug behavior?

New members can join projects when member lock is enabled

What is the expected correct behavior?

All email invites should be revoked when member lock is enabled

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)

(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production)

Impact

New members can join projects when the member lock option is enabled

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Edited by Rohit Shambhuni