Description
Gitea Version
1.16.3 (codeberg)
Git Version
No response
Operating System
No response
How are you running Gitea?
codeberg deployment (= building from source with patches)
Database
MySQL
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Description
We have received several concerning reports of users that the "Assign user" feature for issues, as well as mentioning via @ in the text box shows up strange users (users in no relation to the project). Also, some users who have access to the repo are apparently missing.
I could reproduce at https://try.gitea.io/repoCountIssues/9 (see screenshots). This user is not a collaborator of the repo, not in the org, not a watcher nor stargazer, nor has it opened an issue. I can't find any relation.
We received multiple reports via email, direct messages and a public post on Mastodon a while ago, see https://mastodon.social/@unfa/107875501190417072
It's a little concerning, and it would be nice to get a confirmation this does not grant strangers any permissions on those repos.
Screenshots
