Subgroup member can list members of parent group
Even though the user it not a member of the parent group in any way, we only check read_group
permission when listing members of a parent group, which is enabled by has_projects
.
Steps to reproduce
- create group and subgroup
- create a project in subgroup
- add user to subgroup
What is the current bug behavior?
Subgroup member has access to the member list of the parent group.
If we skip step 2
(creating a project), the user won't have access to the members of the parent group.
What is the expected correct behavior?
Subgroup member not to have access to the member list of the parent group regardless of the existence of a project.
Edited by Imre Farkas