Skip to content

Project Import/Export - Make project/group export files hidden to everyone except user who initiated it

Problem

Similar to #408469 (closed)

We have functionality introduced by !96503 (merged) and !107363 (merged) that authorised resources before being exported.

For example, an issue's epic or notes might not be visible to the exporting user (despite being an owner of the project) so they are filtered before generating the export upload.

Given this authorization is performed for the exporting user, by allowing the file to be downloaded by other users, we are potentially exposing inaccessible resources.

How to replicate

  • With User A create two privates groups group-to-export and external-group
  • Create an epic in each group and assign the one in group-to-export as a child epic of the one in external-group
  • Visit (Group -> Settings -> General -> Advanced) and export group-to-export.
  • Download the file and find epics.ndjson. The epic parent should be visible
  • Invite another user User B to group-to-export and assign it the owner role.
  • Log in as User B and visit the epic in group-to-export. The epic's parent (in the right sidebar) is not visible.
  • Visit the export page and download the file again. Open epics.ndjson that includes the epic's parent information.

Screenshot_2023-04-24_at_11.30.03

Proposal

We should only serve export files to the user who initiated the export. Other users should not be able to download that export, but could create their own export.

Other users should not be able to detect that an export has happened for another user. This includes anything that reflects the export status in the UI or API.

Files are downloaded through the UI Settings > General > expand Advanced and also API export (project export status and export download endpoints, and the similar endpoints for groups).

The Settings > General > expand Advanced section should not display any information about a project export being created, or available, for another person. The Download export button that appears in the project's settings should only be visible to the user who initiated the export. Any other buttons or copy on that page that reflect export status should also be hidden.

The API endpoints to get a project's export status and download the export, and the similar endpoints for groups) should act as if there is no project export.

Edited by Luke Duncalfe