When switching from a project visibility that allows restricted users to Private without restricted, restricted users that are project administrators keep this access right.

Impact

Restricted users that were project administrators before the visibility switch keep the possibility to access the project and do some administration actions.

Patches

The following versions contain the fix:

• Tuleap Community Edition 14.9.99.63
• Tuleap Enterprise Edition 14.10-1

For more information

If you have any questions or comments about this advisory, reach out to us via the contact information provided on the Tuleap.org security page.

References

• request #32278: Removed project admin restricted users are not remove at project visibility switch
• a108186
• https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=a108186e7538676c4bf6e615f793f3b787a09b91