Skip to content

The package deletion button is shown to users without the permission to delete a package

Setting the issue as confidential as I haven't checked that there's no actual vulnerability.

Summary

While being logged out, I checked the Package Registry page of this project and realized that the "delete package" buttons were shown.

Since I actually wanted to delete the two first packages I tried to click the buttons, but then got a "Something went wrong" error (thankfully!).

The buttons shouldn't be shown when the current user doesn't have the permission to perform the action.

Steps to reproduce

  1. Be logged out of GitLab.com
  2. Visit https://gitlab.com/gitlab-org/gitlab/-/packages
  3. The deletion buttons are shown

What is the current bug behavior?

The "delete package" buttons are shown even if the current user doesn't have the permission to perform the action.

What is the expected correct behavior?

The "delete package" buttons shouldn't be shown when the current user doesn't have the permission to perform the action.

Relevant logs and/or screenshots

See the screenshot Screen_Shot_2022-03-01_at_11.26.19

Results of GitLab environment info

This happens on GitLab.com.