Uploaded image for project: 'Notifyr for Bitbucket Server'
  1. NOTIFYR-83

Watching a project sends user emails about repos they don't have access to, leaking confidential informaton

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.3.5
    • Fix Version/s: 2.4.2
    • Component/s: Email
    • Labels:
      None
    • Environment:

      linux with stash v3.4.0-m1

      Description

      We have some repos which have more restrictive security than others. At the project level we grant no permissions, then at the repo level we grant access.

      When a user clicks the "watch" button on a project, they receive email notification for pushes to branches for all of the repos in the project, regardless of whether they have access to that repo or not. Since the pull messages have commit information, this is sensitive information being leaked users that should not have access.

      • STEPS TO REPRODUCE
        1. In a project where you don't have access to some of the repos, click watch
        2. Someone pushes something.
        3. You get an email

        Attachments

          Activity

            People

            • Assignee:
              stefan Stefan Kohler
              Reporter:
              coreycsteele Corey Steele
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: