Developers can EDIT names of locked files which are locked by other users
HackerOne report #746601 by ashish_r_padelkar
on 2019-11-26, assigned to @ankelly:
Summary
Hello,
As per https://docs.gitlab.com/ee/user/project/file_lock.html
, You can unlock a file that yourself or someone else previously locked as long as you have Maintainer or above permissions to the project.
.
However, A user with Developer
role can still EDIT locked files of other users in the projects. They are not able to EDIT the contents of the file but able to change the file name. After renaming the locked file, the old file is not visible anywhere and the newly updated files locked is released automatically.
Steps to reproduce
- Login as project maintainer and lock any file.
- Login as a developer and go to the locked file. You will still see
EDIT
option in the file although file is locked. - If you try to EDIT the content, you will see a error saying file has been already locked by another user.
- Now just EDIT the name of the file without changing anything.
- File will be renamed successfully and lock is released.
- Maintainers wont find a old file anywhere in the UI.
What is the current bug behavior?
A Developer can EDIT locked file names which eventually releases the lock on the file
What is the expected correct behavior?
Developer shouldnt be allowed to EDIT the locked file names
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too. I tested this on gitlab.com
Regards,
Ashish
Impact
Developer users can EDIT locked file names which are locked by other users