Maintainer can add project members despite group member lock

HackerOne report #457627 by ashish_r_padelkar on 2018-12-06:

Summary: Hello,

When group is enabled with Member Lock , the maintainers of the project inside group can not add any project members at https://gitlab.com/thisisprivategroup/projectinsideprivategroupt/project_members/

Description: However, using project member import feature, Users with Maintainer role of such projects can still import project members

The project member import url is https://gitlab.com/<GroupWithMemberLock>/<ProjectName>/project_members/import

Steps To Reproduce:

1. As a Owner of a private group , enable member lock at https://gitlab.com/groups/<group>/-/edit#js-permissions-settings

2. Login as Maintainer and go into project within the group. You will see that you dont have option to add project members at https://gitlab.com/<GroupWithMemberLock>/<ProjectName>/project_members

3. Now just visit direct url https://gitlab.com/<GroupWithMemberLock>/<ProjectName>/project_members/import

4. Import the project members from other project and it will be successfully added to the current project which should not have been possible otherwise!

Regards, Ashish

Impact

Maintainer can add/import project members despite member lock to a group

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2018-12-07_at_01.33.48.png