Skip to content

Non project member can promote key results to objectives

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2456186 by ashish_r_padelkar on 2024-04-09, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Hello,

As per this document https://docs.gitlab.com/ee/user/okrs.html#promote-a-key-result-to-an-objective, You must require at least the Reporter role to promote the key results to Objectives.
Screenshot_2024-04-09_at_1.18.39_PM.png

However, only guest access is enough at the moment which i think is a permission issue.

Steps to reproduce

1.On your instance enable the feature flag okrs_mvc to enable objectives and key results in rail console. (Follow this to enable feature flags https://docs.gitlab.com/ee/administration/feature_flags.html#how-to-enable-and-disable-features-behind-flags)
2.After enabling, go to /issues and create an objective. you can follow https://docs.gitlab.com/ee/user/okrs.html#create-an-objective to create objective.

Screen_Shot_2024-04-09_at_1.05.38_PM.png

3.Once you create objective, you can create key results within objective in Child Objectives and key results section.

Screen_Shot_2024-04-09_at_1.00.48_PM.png

4.Login as UserB who is not a member of your group/project(public) and Now go to details of Key results https://YourInstance/<GroupName>/<ProjectName>/-/work_items/1.

5.In comment box type /promote_to objective and it will successfully convert key result into objective.

What is the current bug behavior?

As per document, you must need atleast reporter role to promote key results to objectives but non member too can do this

What is the expected correct behavior?

Only reporter role user should be able to promote key results to objectives

Output of checks

Gitlab EE 16.9+

Regards,
Ashish

Impact

Non project member can promote key results to objectives

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: