Direct Transfer - Authorised project/group exports are accessible to other users
We have functionality introduced by !96503 (merged) and !107363 (merged) that authorised resources before being exported.
For example, an issue's epic or notes might not be visible to the exporting user (despite being an owner of the project) so they are filtered before generating the export upload.
Given this authorization is performed for the exporting user, by allowing the file to be downloaded by other users, we are potentially exposing inaccessible resources.
How to replicate
- With
User A
create two privates groupsgroup-to-export
andexternal-group
- Create an epic in each group and assign the one in
group-to-export
as a child epic of the one inexternal-group
- Visit (Group -> Settings -> General -> Advanced) and export
group-to-export
. - Download the file and find
epics.ndjson
. The epic parent should be visible - Invite another user
User B
togroup-to-export
and assign it theowner
role. - Log in as
User B
and visit the epic ingroup-to-export
. The epic's parent (in the right sidebar) is not visible. - Visit the export page and download the file again. Open
epics.ndjson
that includes the epic's parent information.
Edited by Eugenia Grieff