Non project member can promote key results to objectives
HackerOne report #2456186 by ashish_r_padelkar
on 2024-04-09, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
As per this document https://docs.gitlab.com/ee/user/okrs.html#promote-a-key-result-to-an-objective
, You must require at least the Reporter
role to promote the key results
to Objectives
.
However, only guest access is enough at the moment which i think is a permission issue.
Steps to reproduce
1.On your instance enable the feature flag okrs_mvc
to enable objectives and key results
in rail console. (Follow this to enable feature flags https://docs.gitlab.com/ee/administration/feature_flags.html#how-to-enable-and-disable-features-behind-flags
)
2.After enabling, go to /issues
and create an objective. you can follow https://docs.gitlab.com/ee/user/okrs.html#create-an-objective
to create objective.
3.Once you create objective, you can create key results within objective in Child Objectives and key results
section.
4.Login as UserB
who is not a member of your group/project(public) and Now go to details of Key results https://YourInstance/<GroupName>/<ProjectName>/-/work_items/1
.
5.In comment box type /promote_to objective
and it will successfully convert key result into objective.
What is the current bug behavior?
As per document, you must need atleast reporter role to promote key results to objectives but non member too can do this
What is the expected correct behavior?
Only reporter role user should be able to promote key results to objectives
Output of checks
Gitlab EE 16.9+
Regards,
Ashish
Impact
Non project member can promote key results to objectives
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- Screen_Shot_2024-04-09_at_1.00.48_PM.png
- Screen_Shot_2024-04-09_at_1.05.38_PM.png
- Screenshot_2024-04-09_at_1.18.39_PM.png
How To Reproduce
Please add reproducibility information to this section: