Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pull Requests can be listed without having the corresponding permission #4587

Closed
2 of 7 tasks
L-P opened this issue Aug 1, 2018 · 2 comments
Closed
2 of 7 tasks

Pull Requests can be listed without having the corresponding permission #4587

L-P opened this issue Aug 1, 2018 · 2 comments
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!

Comments

@L-P
Copy link

L-P commented Aug 1, 2018

  • Gitea version (or commit ref): 1.4.3 (docker)
  • Git version: 2.15.2
  • Operating system: Alpine 3.7 (docker)
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No (try is down)
    • Not relevant
  • Log gist:

Description

I created an "extern" team on an organization with read-only access to code
only, and assigned a single repository to it. (see the attached screenshot)

When going to /pulls with an account assigned to this extern team (and this
team only) I can list all pull requests, including the title, author, date
number of comments and open/closed status.
When trying to access the details of a single PR I get the expected 404.

Being able to list the pull requests when I specifically disabled the right to
access them is an information leak and a security issue.

Screenshots

Permissions screen
@lafriks lafriks added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Aug 2, 2018
@lunny
Copy link
Member

lunny commented Oct 29, 2018

Cannot reproduce this on 7694c99

@lunny
Copy link
Member

lunny commented Dec 8, 2018

This should be fixed if exist by #5314

@lunny lunny closed this as completed Dec 8, 2018
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lunny @lafriks @L-P