Non project member can promote key results to objectives
HackerOne report #2456186 by ashish_r_padelkar on 2024-04-09, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
As per this document https://docs.gitlab.com/ee/user/okrs.html#promote-a-key-result-to-an-objective, You must require at least the Reporter role to promote the key results to Objectives.
However, only guest access is enough at the moment which i think is a permission issue.
Steps to reproduce
1.On your instance enable the feature flag okrs_mvc to enable objectives and key results in rail console. (Follow this to enable feature flags https://docs.gitlab.com/ee/administration/feature_flags.html#how-to-enable-and-disable-features-behind-flags)
2.After enabling, go to /issues and create an objective. you can follow https://docs.gitlab.com/ee/user/okrs.html#create-an-objective to create objective.
3.Once you create objective, you can create key results within objective in Child Objectives and key results section.
4.Login as UserB who is not a member of your group/project(public) and Now go to details of Key results https://YourInstance/<GroupName>/<ProjectName>/-/work_items/1.
5.In comment box type /promote_to objective and it will successfully convert key result into objective.
What is the current bug behavior?
As per document, you must need atleast reporter role to promote key results to objectives but non member too can do this
What is the expected correct behavior?
Only reporter role user should be able to promote key results to objectives
Output of checks
Gitlab EE 16.9+
Regards,
Ashish
Impact
Non project member can promote key results to objectives
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- Screen_Shot_2024-04-09_at_1.00.48_PM.png
- Screen_Shot_2024-04-09_at_1.05.38_PM.png
- Screenshot_2024-04-09_at_1.18.39_PM.png
How To Reproduce
Please add reproducibility information to this section: