Accounts not shared on projects get notified when tagged involuntarily
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Anytime I add a comment with @nullable in it to any Merge Request on a private group I get an account under the name Kurt Gooding tagged into the project. I am not sure if this gives him visibility over it.
To test it out, I have created another account named RestController. So when anyone adds a comment on any MR in any project with @RestController in it I get notified with an email about that comment.
In this case the commenter (like me previously) did not want to intentionally notify the @RestController account, rather simply adding the comment which happens to have that annotation in it as a word.
The issue persist if I push a commit with @RestController in the commit message. This is definitely not an intended account tagging.
I did receive notifications by email anytime someone used @RestController in a comment. I am also able to post comments on projects that were not directly shared with me. Looks like the accidental tagging is granting me permissions I shouldn't have.
I understand this might be an intended feature where tagging an account in a Merge Request will grant the account access, however for situations where the tagging was non intentional (like mentioning a java annotation in a comment or a commit message) looks like a security flaw.