Get list of board names of public projects when issues are set as project member only (API)

HackerOne report #449563 by ashish_r_padelkar on 2018-11-25:

Summary: Hello,

When issues of public projects are set as Project Members Only , the issue menu is not visible for public!

However, it is still possible for anyone to get names of boards and its tags etc which should not happen as board is a sub menu of issues!

Description: The following API endpoint is responsible for getting list of all issue board names

curl --header "PRIVATE-TOKEN: [REDACTED]" https://gitlab.example.com/api/v4/projects/<ProjectID>/boards

https://docs.gitlab.com/ee/api/boards.html

This shows board names even if issues are set as project members only!

Steps To Reproduce:

1. Set issues as Project Member Only in project settings for public project
2. When you navigate to project, you wont see Issues menu and its sub menus
3. Now run the following curl to obtain the list of boards

curl --header "PRIVATE-TOKEN: [REDACTED]" https://gitlab.example.com/api/v4/projects/<ProjectID>/boards`

Regards, Ashish

Impact

Get list of board names even when project issues are set as Project Members Only