In a Private Group, Adding A Reviewer Not A Member of the Group to a Git MP Results In Reviewer Being Added As Subscriber to the TO and FROM Repositories With Full Read Access
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Triaged
|
High
|
Guruprasad | ||
Bug Description
In a private LP Group, a user outside the private group may be added to an MP. Once added to the MP the user has access to:
* see the MP (expected, even without perms)
* navigate to the FROM git branch and see the entire FROM repo
* navigate to the TO git branch and see the entire TO repo
* automatically subscribed to all future MPs for the TO repo
* ??? automatically subcribed to all future MPs for the FROM repo (did not try going FROM to a different, TO, but I assume they are subscribed)
This results in an overprivileged view. Use Case:
* as a member of a Private LP Group, I am making a change which was reported by someone outside our private group. I would like that person to review the change. However, we do not want them to see our entire repository as it contains proprietary or secret information (including but not limited to business sensitive information and credentials)
A more likely case is an accidental addition of a user:
* as a member of a Private LP group, I go to add `userX` and erroneously added `userC`. `userC` now has full access to bother repositories.
Clean up isn't difficult, though there are two places:
1. removal from the TO repo
2. removal from the FROM repo
A user may also be removed at the top level in launchpad.
Perfect world:
A user added to an MP who is outside the private launchpad group only has access to the MP. They would not be subscribed to all future MPs or changes for that repository. They would not have access to the entire TO or FROM repositories.
| Éric St-Jean (esj) wrote | #1 |
| Changed in launchpad: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| tags: | added: lp-code |
| Changed in launchpad: | |
| assignee: | nobody → Guruprasad (lgp171188) |
other avenues that would lessen the blow on this:
- a setting on the project to disallow sharing completely (automatic or otherwise, or disallow automatic only). this means either an individual user pushing an MP cannot add a reviewer who doesn't already have access to the repo as a whole, or they can but the reviewer will not be able to click through to the MP at all (which might be raised as a bug but it's a _safer_ bug)
- a notification to project owners + maintainers whenever a new person has access to the code who did not have access before