Skip to content

Members removed from team/repository keep watches #3782

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
michaelkuhn opened this issue Apr 10, 2018 · 7 comments
Closed
1 task done

Members removed from team/repository keep watches #3782

michaelkuhn opened this issue Apr 10, 2018 · 7 comments
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Milestone
1.5.0

Comments

@michaelkuhn
Copy link
Contributor

Description

When removing members from a team, they lose access to the respective repositories but keep their watches on the repository. This allows them to receive notifications via e-mail even if they should not be able to access the repository.

Reproducer (see link above): I added lunny to the test team, gave the team access to the repository and then removed lunny again. He still has a watch on the repository.
@lunny lunny added the type/bug label Apr 10, 2018
@lunny lunny added this to the 1.5.0 milestone Apr 10, 2018
@mqudsi
Copy link
Contributor

mqudsi commented Apr 14, 2018

This should be tagged with a security label and perhaps assigned a CVE.

@lunny
Copy link
Member

lunny commented Apr 15, 2018

@mqudsi it will only show the wrong watch but there is no wrong permission.

@mqudsi
Copy link
Contributor

mqudsi commented Apr 15, 2018

@lunny thanks, that's much better :)

@michaelkuhn
Copy link
Contributor Author

From what I could tell, removed members will still get notification e-mails (including the full comments) for issues etc. While the removed members do not have access to the repository anymore, they may still get information they should not get.

@axifive
Copy link
Member

axifive commented May 16, 2018

Perhaps need to add security or priority label?

@lunny lunny added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label May 16, 2018
@daviian daviian mentioned this issue Jun 4, 2018
Merged
@daviian
Copy link
Member

daviian commented Jun 5, 2018
edited
Loading

Just wanted to mention that I'm already working on it. Including #3343 and #4149, because it's closely related

@lafriks lafriks mentioned this issue Jun 6, 2018
Closed
7 tasks
@daviian daviian mentioned this issue Jun 9, 2018
Merged
3 tasks
@techknowlogick
Copy link
Member

Closed with #4201

@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.5.0
Development

No branches or pull requests
7 participants
@lunny @techknowlogick @lafriks @mqudsi @axifive @michaelkuhn @daviian