[go: up one dir, main page]
Skip to content

Introduce setting to restrict visibility of Confluence (and other) Integrations

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

In the project settings, maintainers can restrict visibility of and access to certain parts of the project. There does not appear to currently be a way to change the visibility of and access to Confluence integrations (or other integrations) within GitLab.

The purpose of this issue is to track the effort related to adding such controls for the Confluence integration (and perhaps other integrations that it might make sense for).

Note: This originally came in as a HackerOne report but since it was determined that there is no actionable security vulnerability it has been changed to a feature request.

Original HackerOne Report Title: Confluence wiki visible even when the Wiki visibility has been set to Only Project Members

HackerOne report #1040211 by shells3c on 2020-11-21, assigned to @ankelly:

Report

Report

Summary

Even if you set the Wiki visibility to Only Project Members, anonymous users still can access the Confluence Wiki page which contains the Wiki link!

Steps to reproduce
  1. Set the Wiki visibility to Only Project Members at https://gitlab.com/:user/:project/edit
  2. Now let's use the Confluence Workspace integration, by visiting https://gitlab.com/:user/:project/-/settings/integrations and add the Wiki link
  3. After finished, visit this link from an incognito window: https://gitlab.com/:user/:project/-/wikis/-/confluence
  4. You will able to view the wiki link, although the Wiki must be private from the general setting
What is the current bug behavior?

Able to access the Confluence Wiki from https://gitlab.com/:user/:project/-/wikis/-/confluence

What is the expected correct behavior?

You should block access to https://gitlab.com/:user/:project/-/wikis/*

Output of checks

This bug happens on GitLab.com

Impact

Unauthenticated users can access the Confluence Wiki page (with the Wiki link) although the owner wants it's to be private. From what Gitlab said:

>We are hard at work integrating Confluence more seamlessly into GitLab

This will be more impactful in the future

Edited by 🤖 GitLab Bot 🤖