Unauthorized disclosure of wiki pages in search
Summary
Wiki page appear in search results even though wiki permission is set to Only team members.
Steps to reproduce
- Create project with wiki pages.
- Change wiki permission to Only team members.
- Change project visibility to public.
- Search the project as an unauthorized user (or internal user who isn't part from the project group) e.g. http://localhost:3000/search?project_id=[project_id]&scope=wiki_blobs&search=a
What is the current bug behavior?
Show the content of wiki pages that matches the searched query.
Though opening the wiki pages directly result in: Access denied.
What is the expected correct behavior?
Not to show wiki pages.
Relevant logs and/or screenshots
Project settings:
Result page:
Same issue when the project visibility is internal and a user outside the project group search.