Information disclosure in API - SnippetsFinder doesn't obey feature visibility
When snippets feature visibility is set to Disabled
or Only team members
it is still possible for any user to access them through the API.
Other places SnippetsFinder
is used also have this problem so the snippets appear in /explore/snippets
too.
Also check Snippet.accessible_to
used in Search::SnippetService
.
Edited by 🤖 GitLab Bot 🤖