Project 'gitlab-com/infrastructure' was moved to 'gitlab-com/gl-infra/production-engineering'. Please update any links and bookmarks that may still have the old path.
Unauthorized disclosure of wiki pages in search
Summary
Wiki page appear in search results even though wiki permission is set to Only team members.
Steps to reproduce
- Create project with wiki pages.
- Change wiki permission to Only team members.
- Change project visibility to public.
- Search the project as an unauthorized user (or internal user who isn't part from the project group) e.g. http://localhost:3000/search?project_id=[project_id]&scope=wiki_blobs&search=a
What is the current bug behavior?
Show the content of wiki pages that matches the searched query.
Though opening the wiki pages directly result in: Access denied.
What is the expected correct behavior?
Not to show wiki pages.
Relevant logs and/or screenshots
Project settings:
Result page:
Same issue when the project visibility is internal and a user outside the project group search.