Group Repository Analytics visible for guest users
HackerOne report #995975 by ashish_r_padelkar
on 2020-10-01, assigned to @ankelly:
Report
Summary
Hello,
Group Repository Analytics menu option is visible for guest users in private group. This happens despite guest having no access repositories. This works correctly in projects where repository analytics is hidden from guest users but not in groups!
Also, it is mentioned here https://docs.gitlab.com/ee/user/analytics/repository_analytics.html
that It’s available to anyone who has permission to clone the repository.
and i dont think Guest user does!
Steps to reproduce
- Login as a guest user in private group
- Directly visit
https://gitlab.com/groups/<GroupName>/-/analytics/repository_analytics
and it should be accessible. - It can directly seen in UI too!
What is the current bug behavior?
Guest users are able to view Repository Analytics menu option
despite no access to repositories of projects in private group!
What is the expected correct behavior?
Repository Analytics menu option
should not be visible to guest users
Output of checks
This bug happens on GitLab.com GitLab Enterprise Edition 13.5.0-pre a9762e8ca14
Regards,
Ashish
Impact
Guest users in private group able to see Repository Analytics
despite no access to repositories from projects!