search

davideuler / gitblit

Automatically exported from code.google.com/p/gitblit
Apache License 2.0
0 stars 0 forks source link

Default permissions of forks disclose private repository contents to all users #495

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Define a repo as "Restrict View, Clone, & Push" in order to give read 
permissions only to selected users/teams (include "user A" here, not "user B")
2. As user A, create a fork of the repository accepting the default settings
3. As user B (no access to the upstream repo), browse to the user page of user 
A (/users/a) and click on the link to forked repository (and browse / clone it).
4. User B has now read access to a repository, which was not intended to be 
seen by him.

What is the expected output? What do you see instead?
- I think the fork should inherit the same permission level as the upstream 
repo. Adding a "view for all" permission is not a good default.
- If the fork is completely private by default, or if all the upstream's 
users/teams should be added, could be discussed (configured?).
- Probably the best would be a "inherit from upstream" setting. This would also 
keep the permissions of the fork in sync with the upstream repo. I think this 
would be the most sensible default (with an option to override to custom access 
permissions).

What version of the product are you using? On what operating system?
- 1.6.0 on Tomcat

Original issue reported on code.google.com by stef...@steffen-gebert.de on 5 Sep 2014 at 7:38

GoogleCodeExporter commented 9 years ago 
To clarify step 2.: The default permission level for the fork is "Restrict Push 
(Named)". This means "read for authenticated".

Original comment by stef...@steffen-gebert.de on 5 Sep 2014 at 7:44

GoogleCodeExporter commented 9 years ago

Original comment by James.Mo...@gmail.com on 5 Sep 2014 at 1:29

GoogleCodeExporter commented 9 years ago 
The fix for this has been pushed to master & develop.
https://dev.gitblit.com/tickets/gitblit.git/167

Original comment by James.Mo...@gmail.com on 5 Sep 2014 at 11:21

GoogleCodeExporter commented 9 years ago 
Thanks, James! Works fine

Original comment by stef...@steffen-gebert.de on 10 Sep 2014 at 9:45

GoogleCodeExporter commented 9 years ago 
v1.6.1 released

Original comment by James.Mo...@gmail.com on 20 Oct 2014 at 9:36