[Bug] Users can view audit events from other members
Summary
Users without expected permission can search for and view audit events from other users using the UI.
As noted in our feature documentation, events by other members should only be visible:
- On groups for
owners
andadmins
. - On projects for
maintainers
and above.
Users with lower access should only be able to view their own events.
Additional notes
- Users have to be logged in to view the audit events on a group / project.
- I could not replicate this bug on the audit events API.
Steps to reproduce
- Log in with user_A and create an audit event (create / import a project / change approval rules).
- Log in with user_B that has a
Developer
role and view the audit events page for the same group / project where the event was created:https://staging.gitlab.com/groups/[GROUP]/-/audit_events
- Append user_A's username to the URL and hit enter:
?entity_type=Author&author_username=[USERNAME]
- You should now see user_A's audit events.
Example Project
Most users do not have owner
access on GitLab-org so the above should not show results.
What is the current bug behavior?
Group and project members can view the audit events from all members.
What is the expected correct behavior?
Group and project members should only be able to view audit events generated by themselves, unless:
- They have
owner
andadmin
role in a group. - They have
maintainer
or above role in a project.
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
I suspect there's an issue or lack of permission checking on the AuditEventsController
.