Reporters can create labels in projects/groups
HackerOne report #542369 by ashish_r_padelkar
on 2019-04-19, assigned to asaba
:
Summary
Hello,
As per your latest policy Reports about intended behavior resulting in an update of our documentation will be rewarded with a $100 bounty, as long as this update is security related.
Not too sure if this a valid issue or just need a documentation updated
As per documentation of labels here https://gitlab.com/help/user/project/labels.md
, go to Creating labels
section and you will see a note .
Note: A permission level of `Developer` or higher is required to create labels.
This is not true. A user with Reporter
role can create labels too!
Steps to reproduce
- Just login to any project/group where you have reporter role and go to labels at
https://gitlab.com/<GroupName>/<ProjectName>/labels
and you will see aNew Label
button where you can create new labels
What is the current bug behavior?
A reporter can create labels with groups/projects
What is the expected correct behavior?
Only Developer or higher role should be able to create labels
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too
Regards,
Ashish
Impact
A reporter can create labels in projects/groups