Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Regular User is allowed to view and manage list of subscriptions belonging to a different user #28

Open
jfrerich opened this issue May 25, 2021 · 3 comments
Open

Security: Regular User is allowed to view and manage list of subscriptions belonging to a different user #28

jfrerich opened this issue May 25, 2021 · 3 comments
Labels
Help Wanted Community help wanted Type/Enhancement New feature or improvement of existing feature Up For Grabs Ready for help from the community. Removed when someone volunteers

Comments

@jfrerich
Copy link
Contributor

jfrerich commented May 25, 2021
edited
Loading

From GH Comment: #5 (review)

6) Regular User is allowed to view and manage list of subscriptions belonging to a different user.

Severity: Low

Steps:

  • Login as User1 on Mattermost.
  • Connect to Bitbucket as User1.
  • Subscribe to few private repositories using the command /bitbucket subscribe user1/repo1
  • On another browser, login as User2 with low priviliges and visit the same channel.
  • Check subscriptions /bitbucket subscribe list and notice that it still displays repo1 which is a private repo of user1.
  • Unsubscribe using the command /bitbucket unsubscribe user1/repo1 and notice that user is allowed to change the subscription belonging to a different user.

Expected: Subscriptions should be user based. Only the owner of the subscription should be allowed to view or unsubscrib
@jfrerich jfrerich changed the title Regular User is allowed to view and manage list of subscriptions belonging to a different user Security: Regular User is allowed to view and manage list of subscriptions belonging to a different user May 25, 2021
@sibasankarnayak
Copy link
Contributor

@jfrerich if we make this changes still all user can be notified as notification is independent of users
This should be the flow ?

cc @hanzei @mickmister

@sibasankarnayak sibasankarnayak mentioned this issue Apr 5, 2022
Closed
@mickmister
Copy link
Contributor

Expected: Subscriptions should be user based. Only the owner of the subscription should be allowed to view or unsubscrib

I'm not sure I agree with this. This doesn't follow the conventions of the GitHub and GitLab plugins, for instance. Subscriptions do not usually belong to a given user.

@hanzei @aaronrothschild I'm not sure what to do with this ticket. We need to step back and design how this should work if we want to introduce this sort of access control.

@aaronrothschild
Copy link

Agreed - this would be a big change. I'd mark don't fix for now. @mickmister

@sibasankarnayak sibasankarnayak mentioned this issue Apr 6, 2022
Closed
@hanzei hanzei added Type/Enhancement New feature or improvement of existing feature Help Wanted Community help wanted Up For Grabs Ready for help from the community. Removed when someone volunteers labels Mar 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Help Wanted Community help wanted Type/Enhancement New feature or improvement of existing feature Up For Grabs Ready for help from the community. Removed when someone volunteers
Projects
None yet
Milestone
No milestone
5 participants
@aaronrothschild @mickmister @jfrerich @hanzei @sibasankarnayak