Skip to content

Private group info such as EPIC , milestone path are still visible if project is transferred to other group

HackerOne report #748315 by ashish_r_padelkar on 2019-11-29, assigned to @ankelly:

Summary

When project is transferred from private group to public group, the information related to private groups such as milestone group path , epic are visible still visible if they are associated with issues/merge requests.

Also, when old group update the EPIC title, the new title is still visible in new group issue if it is associated with issue

Steps to reproduce

  1. Create a private group and private project underneath
  2. Create group milestone, EPIC and Label in a group
  3. Apply these all to an issue in project.
  4. Move this project to any GOLD membership public project. Change the project visibility to public.
  5. Login as non member and visit this public project issue and you will see the following information is still visible from old private group
    a. Epic associated with this issue. If old group updates the title , the new is still visible in this issue
    b. System notes associated with the issue shows a group milestone path if you hover over the milestone

What is the current bug behavior?

EPIC and milestone path are visible from private group if project is transferred

What is the expected correct behavior?

EPIC and old group path should not be visible to non members

Output of checks

This bug happens on GitLab.com

Regards,
Ashish

Impact

  1. Epic associated with the issue is visible in new group. If old group updates the title , the new is still visible in the issue
    2. System notes associated with the issue shows a group milestone path if you hover over the milestone