Drafted Review In Merge Request Still Able To Be Published In Archived Project

HackerOne report #713376 by rafiem on 2019-10-14, assigned to @ankelly:

Hi Team,

Similarly from my other report #706044. In this report, i found out that drafted review in merge request change can still be published when the projects get archived. According to GitLab docs, archived project is in read-only state. Comment, notes and changes cannot be performed in any of the content of the project. But, in this issue, drafted review still can be published after project is archived.

Proof of Concept

1.) User A have a project , example :[REDACTED] 2.) User B and then make a draft review on one of the merge request in[REDACTED] 3.) User A then archived the project in settings
4.) User B still able to submit and publish the drafted review that he previously make, that allow User B to comment to part of merge request, which is forbidden when project is archived

<>PoC Video Attached
[REDACTED]

Impact

User still able to comment to merge reqeuest through darft review in changes even if merge request is in read-only state (archived) which souldn't be able to modified by normal user.

Best Regards,
[@]rafiem

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

[REDACTED]