Pipelines always visible regardless of visibility settings
Summary
Regardless of the project settings, users not logged in can always see the Pipelines page and can even see parts of failed build logs.
Steps to reproduce
- Create new Project
- General Settings: set Repository(or just Pipeline) to "Only team members"
- Pipeline Settings: disable public pipelines
- Watch page as anonymous user, you can see all Pipelines
Example Project
https://gitlab.com/Rukenshia/PrivatePipelines/pipelines
What is the current bug behavior?
You can list all Pipelines of the Project but cannot click on anything (results in a 404). However, you can see part of the logs if a build failed by navigating on a pipeline: https://gitlab.com/Rukenshia/PrivatePipelines/pipelines/9600501/failures
What is the expected correct behavior?
I should not be able to see any Pipelines.
#8937 and !6842 (merged) discuss this matter, but for us it really is not an option to expose our pipelines at all. even if it is just listing them. The documentation (which should be improved as discussed in #34360 (closed)) states that the settings I applied should hide the pipeline visibility. The current behavior does not allow me to completely hide pipelines at all. The Pipelines page lists commit messages, branch/tag names, name of manual jobs, artifact names (and of course the pipeline stages, jobs and states) which we do not want to display for users.
Output of checks
This bug happens on GitLab.com