Removed developer users from public project can close and edit merge request created by them
HackerOne report #1401296 by ashish_r_padelkar
on 2021-11-16, assigned to @nmalcolm:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
A removed developer user from public projects can still able to edit and close/reopen merge requests created by them when they were developers in project.
As per this https://docs.gitlab.com/ee/user/project/merge_requests/#close-a-merge-request
, only users with Developer
and higher role should be able to close the merge requests but in this case, member is no longer part of the team but still able to close the merge requests(created by them).
Steps to reproduce
-
Login as a developer in any public project and create a merge request at
https://gitlab.com/<NameSpace>/<ProjectName>/-/merge_requests/new
. -
Admin removes the developer from the public project.
-
As a former developer (now not a part of the project) go the merge request that you created when you were the developer.
-
You see, you can edit and close the merge request button which shouldn't be possible as per the document provided above! Only developers and higher role should be able to close the merge request but currently you dont have any role in the project!
- You can also edit the title, description etc which should also be restricted .
What is the current bug behavior?
Removed developers can still edit their merge requests and close the merge request which is against documentation.
What is the expected correct behavior?
Only developer and higher role should be able to close the merge requests.
Output of checks
This bug happens on GitLab.com
Regards,
Ashish
Impact
Removed developers can still edit their merge requests and close the merge request which is against documentation.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: