Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Further restrict UserInvite action to those with TeamEdit and TeamCreate permissions #3864

Closed
NickJosevski opened this issue Oct 17, 2017 · 3 comments
Closed

Further restrict UserInvite action to those with TeamEdit and TeamCreate permissions #3864

NickJosevski opened this issue Oct 17, 2017 · 3 comments
Assignees
@NickJosevski
Labels
priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone
3.17.7

Comments

@NickJosevski
Copy link

NickJosevski commented Oct 17, 2017
edited
Loading

Summary

To further reflect the intention of the power of UserInvite it will now require additional privileges to be granted.

Reasoning

By inviting a user to an existing team, the user is editing a team, and causing the creation of a user. This would allow them to invite a user to a team with greater privilege than their own. To make it clear they will now require TeamEdit which makes it more obvious the power of this action.

CVE

CVE-2017-15611
@NickJosevski
Copy link
Author

NickJosevski commented Oct 17, 2017
edited
Loading

cert PR reference was a mistake.

@octoreleasebot octoreleasebot added this to the 3.17.7 milestone Oct 17, 2017
@octoreleasebot
Copy link

octoreleasebot commented Oct 17, 2017
edited by NickJosevski
Loading

Release Note: Prevent a potential security vulnerability (CVE-2017-15611) by further restricting User Invite action to those with TeamEdit and TeamCreate permissions

@NickJosevski NickJosevski added the priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible label Oct 18, 2017
@NickJosevski NickJosevski mentioned this issue Dec 7, 2017
Closed
@lock
Copy link

lock bot commented Nov 24, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Nov 24, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@NickJosevski NickJosevski

Labels
priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Projects
None yet
Milestone
3.17.7
Development

No branches or pull requests
2 participants
@NickJosevski @octoreleasebot