Closed
Description
- Gitea version (or commit ref): 1.4.3 (docker)
- Git version: 2.15.2
- Operating system: Alpine 3.7 (docker)
- Database (use
[x]):- PostgreSQL
- MySQL
- MSSQL
- SQLite
- Can you reproduce the bug at https://try.gitea.io:
- Yes (provide example URL)
- No (try is down)
- Not relevant
- Log gist:
Description
I created an "extern" team on an organization with read-only access to code
only, and assigned a single repository to it. (see the attached screenshot)
When going to /pulls with an account assigned to this extern team (and this
team only) I can list all pull requests, including the title, author, date
number of comments and open/closed status.
When trying to access the details of a single PR I get the expected 404.
Being able to list the pull requests when I specifically disabled the right to
access them is an information leak and a security issue.
Screenshots
