Security: Regular User is allowed to view and manage list of subscriptions belonging to a different user

[jfrerich]

From GH Comment: #5 (review)

6) Regular User is allowed to view and manage list of subscriptions belonging to a different user.

Severity: Low

Steps:

• Login as User1 on Mattermost.
• Connect to Bitbucket as User1.
• Subscribe to few private repositories using the command /bitbucket subscribe user1/repo1
• On another browser, login as User2 with low priviliges and visit the same channel.
• Check subscriptions /bitbucket subscribe list and notice that it still displays repo1 which is a private repo of user1.
• Unsubscribe using the command /bitbucket unsubscribe user1/repo1 and notice that user is allowed to change the subscription belonging to a different user.

Expected: Subscriptions should be user based. Only the owner of the subscription should be allowed to view or unsubscrib

[sibasankarnayak]

@jfrerich if we make this changes still all user can be notified as notification is independent of users
This should be the flow ?

cc @hanzei @mickmister

[mickmister]

Expected: Subscriptions should be user based. Only the owner of the subscription should be allowed to view or unsubscrib

I'm not sure I agree with this. This doesn't follow the conventions of the GitHub and GitLab plugins, for instance. Subscriptions do not usually belong to a given user.

@hanzei @aaronrothschild I'm not sure what to do with this ticket. We need to step back and design how this should work if we want to introduce this sort of access control.

[aaronrothschild]

Agreed - this would be a big change. I'd mark don't fix for now. @mickmister