Guest user with Admin merge request permissions can see the approval rules
HackerOne report #2274176 by ashish_r_padelkar
on 2023-12-05, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
As per this documentation, https://docs.gitlab.com/ee/user/custom_roles.html#available-permissions
, admin_merge_request
permission doesnt allow to view merge request approval rules
.
However, using API, such users can.
Steps to reproduce
1.Go to https://gitlab.com/groups/groupnov2023/-/settings/roles_and_permissions
and create a role AdminMergeRole_1
with Guest
template with admin_merge_request
permission.
2.Now go to https://gitlab.com/groups/groupnov2023/-/group_members
and add User_A with above role AdminMergeRole_1
.
3.Create a new merge request at https://gitlab.com/groupnov2023/Novproject/-/merge_requests
. While creating merge request, you will be able to create approval rules like below.Create couple of approval rules.
4.Login as User_A.
5.Go to the merge request created above at https://gitlab.com/groupnov2023/Novproject/-/merge_requests/1
.
6.You wont be able to edit the merge request as intended so you can not view or edit approval rules.
7.However, you can use this API https://gitlab.com/api/v4/projects/48419568/merge_requests/1/approval_settings
and you will be able to see the Approval Rules
in response which is against the documentation of the Admin merge request
permissions.
They can also see all the approval rules created by group owners at https://gitlab.com/api/v4/projects/48419568/approval_settings
What is the current bug behavior?
Guest user with Admin merge request
permissions can see the approval rules which is against the documentation.
What is the expected correct behavior?
API https://gitlab.com/api/v4/projects/48419568/merge_requests/1/approval_settings
should not be accessible to such users.
Output of checks
This bug happens on GitLab.com
Regards,
Ashish
Impact
Guest user with Admin merge request permissions can see the approval rules
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: