Skip to content

[Bug] Users can view audit events from other members

Summary

Users without expected permission can search for and view audit events from other users using the UI.

As noted in our feature documentation, events by other members should only be visible:

  1. On groups for owners and admins.
  2. On projects for maintainers and above.

Users with lower access should only be able to view their own events.

Additional notes

  • Users have to be logged in to view the audit events on a group / project.
  • I could not replicate this bug on the audit events API.

Steps to reproduce

  1. Log in with user_A and create an audit event (create / import a project / change approval rules).
  2. Log in with user_B that has a Developer role and view the audit events page for the same group / project where the event was created:
    • https://staging.gitlab.com/groups/[GROUP]/-/audit_events
  3. Append user_A's username to the URL and hit enter:
    • ?entity_type=Author&author_username=[USERNAME]
  4. You should now see user_A's audit events.

Example Project

https://gitlab.com/groups/gitlab-org/-/audit_events?entity_type=Author&author_username=employment-bot

Most users do not have owner access on GitLab-org so the above should not show results.

What is the current bug behavior?

Group and project members can view the audit events from all members.

What is the expected correct behavior?

Group and project members should only be able to view audit events generated by themselves, unless:

  1. They have owner and admin role in a group.
  2. They have maintainer or above role in a project.

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

I suspect there's an issue or lack of permission checking on the AuditEventsController.

Edited by Jiaan Louw