**[HackerOne report #1198317](https://hackerone.com/reports/1198317)** by `muthu_prakash` on 2021-05-15, assigned to GitLab Team: [Report](#report) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary In Gitlab when a user is demoted to Guest role, the Guest user will not be able to view and edit the Merge requests in a project even if the merge request is created by him. But the Guest user can use the Approvals API to approve/unapprove the merge request even after the User is demoted to Guest. This API also leaks the Merge request details which the guest user is not supposed to view. ##### Steps to reproduce - Created a new Project with private access - Created a new file in master branch (Made some changes ) - Invited a user with a maintainer role. - From the maintainer role account created a new branch named test, made some changes. - After that from project admin account I created a Merge request with source branch as test and target branch as master. - Assigned that merge request to the maintainer role access user. - After creating the merge request, from project admin account demoted the maintainer role user to Guest role - From demoted user account I created a personal access token with all the available scopes selected - Using API client sent a POST request to the approvals endpoint Sample endpoint: - https://gitlab.com/api/v4/projects/26669301/merge_requests/1/unapprove - https://gitlab.com/api/v4/projects/26669301/merge_requests/1/approve - This API endpoint will respond with 201 status with the merge request details which the Guest user is not supposed to approve and view. ##### Impact Demoted users can approve the merge requests created by them and can view the confidential data of those merge requests once their role revoked. This leads to sensitive info disclosure to unauthorised users ##### What is the current *bug* behavior? Demoted users can approve the merge requests created by them and can view the confidential data of those merge requests once their role is revoked ##### What is the expected *correct* behavior? Demoted users should be blocked from approving the merge requests created by them and viewing the confidential data of those merge requests once their role is revoked ##### Output of checks This bug happens on GitLab.com #### Impact Demoted users can approve the merge requests created by them and can view the confidential data of those merge requests once their role revoked. This leads to sensitive info disclosure to unauthorised users ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues