Non-Premium user(Free plan)can see sum of weights

HackerOne report #1551065 by salh4ckr on 2022-04-26:

Report

Summary

hi,

According to this:https://docs.gitlab.com/ee/user/project/issue_board.html#sum-of-issue-weights, only premium plan should be able to see Sum of weights but i found a graphql endpoint which is showing total of weights.

Steps to reproduce

1.Create a group A and start ultimate trial for this group
2.Create a project A in group A
3.Create issue A in project A
4.Add weights to issue A
5.Create another issue B to project A
4.Add weights to issue B.

because issue weights feature is available for premium plan and we can't wait 30 days for trial to end let's create free plan group then transfer project A there

5.Create group B
6.transfer project A to group B
7.now go to projects A issue_boards you will see that there is no sum of weights
8.go to burpsuite march and replace this: response false to true
or use this graphql request:

POST /api/graphql HTTP/2  
Host: gitlab.com  
Cookie: redacted  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://gitlab.com/newgrp8/proj1/-/boards/4229506  
Content-Type: application/json  
X-Csrf-Token: redacted  
X-Gitlab-Feature-Category: team_planning  
Origin: https://gitlab.com  
Content-Length: 285  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Te: trailers

[{"operationName":"BoardListEE","variables":{"id":"gid://gitlab/List/id","filters":{"not":{}}},"query":"query BoardListEE($id: ID!, $filters: BoardIssueInput) {\n  boardList(id: $id, issueFilters: $filters) {\n    id\n    totalWeight\n    issuesCount\n    __typename\n  }\n}\n"}]

Impact

Non-Premium user can see Sum of issue weights

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: