Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default permissions of forks disclose private repository contents to all users #791

Closed
gitblit opened this issue Aug 12, 2015 · 5 comments
Closed

Default permissions of forks disclose private repository contents to all users #791

gitblit opened this issue Aug 12, 2015 · 5 comments
Assignees
@gitblit
Labels
🐱 Defect Priority-Medium Status-Done
Milestone
1.6.1

Comments

@gitblit
Copy link
Collaborator

gitblit commented Aug 12, 2015

Originally reported on Google Code with ID 495

What steps will reproduce the problem?
1. Define a repo as "Restrict View, Clone, & Push" in order to give read permissions
only to selected users/teams (include "user A" here, not "user B")
2. As user A, create a fork of the repository accepting the default settings
3. As user B (no access to the upstream repo), browse to the user page of user A (/users/a)
and click on the link to forked repository (and browse / clone it).
4. User B has now read access to a repository, which was not intended to be seen by
him.

What is the expected output? What do you see instead?
- I think the fork should inherit the same permission level as the upstream repo. Adding
a "view for all" permission is not a good default.
- If the fork is completely private by default, or if all the upstream's users/teams
should be added, could be discussed (configured?).
- Probably the best would be a "inherit from upstream" setting. This would also keep
the permissions of the fork in sync with the upstream repo. I think this would be the
most sensible default (with an option to override to custom access permissions).

What version of the product are you using? On what operating system?
- 1.6.0 on Tomcat

Reported by steffen@steffen-gebert.de on 2014-09-05 07:38:23
@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015 

To clarify step 2.: The default permission level for the fork is "Restrict Push (Named)".
This means "read for authenticated".

Reported by steffen@steffen-gebert.de on 2014-09-05 07:44:05

@gitblit gitblit self-assigned this Aug 12, 2015
@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015

Reported by James.Moger on 2014-09-05 13:29:16

  • Status changed: Accepted
  • Labels added: Milestone-1.6.1

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015 

The fix for this has been pushed to master & develop.
https://dev.gitblit.com/tickets/gitblit.git/167

Reported by James.Moger on 2014-09-05 23:21:58

  • Status changed: Queued

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015 

Thanks, James! Works fine

Reported by steffen@steffen-gebert.de on 2014-09-10 09:45:10

@gitblit
Copy link
Collaborator Author

gitblit commented Aug 12, 2015 

v1.6.1 released

Reported by James.Moger on 2014-10-20 21:36:03

  • Status changed: Done

@gitblit gitblit closed this as completed Aug 12, 2015
@flaix flaix modified the milestone: 1.6.1 Dec 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gitblit gitblit

Labels
🐱 Defect Priority-Medium Status-Done
Projects
None yet
Milestone
1.6.1
Development

No branches or pull requests
2 participants
@gitblit @flaix