Commit messages can accidentally cause tagging of users or groups
Summary
Adding a commit message containing a @group
or @user
to an MR will cause that group/user to become a Participant in the MR.
Screenshot from blackstream-x/postleid!3 (merged) where the user has accidentally tagged all GitLab Pages group members:
Steps to reproduce
- Open an MR
- Add a commit to the MR containing
@group
or@user
as commit message title - See the group members or user now being a participant in the MR
Example Project
blackstream-x/postleid!3 (merged)
What is the current bug behavior?
The user can tag any public group or user in a commit message (that may or may not be written using the GitLab UI)
What is the expected correct behavior?
The user can tag only public users or groups of organisations they are a member of. In all other cases the commit message remains a plaintext string.
Output of checks
This bug happens on GitLab.com