Watching a project sends user emails about repos they don't have access to, leaking confidential informaton

Description

We have some repos which have more restrictive security than others. At the project level we grant no permissions, then at the repo level we grant access.

When a user clicks the "watch" button on a project, they receive email notification for pushes to branches for all of the repos in the project, regardless of whether they have access to that repo or not. Since the pull messages have commit information, this is sensitive information being leaked users that should not have access.

  • STEPS TO REPRODUCE
    1. In a project where you don't have access to some of the repos, click watch
    2. Someone pushes something.
    3. You get an email

Environment

linux with stash v3.4.0-m1

Assignee

Stefan Kohler

Reporter

Corey Steele

Labels

None

SEN

None

Bitbucket version

None

Fix versions

Affects versions

Priority

Major
Configure