Groups API leaks private projects

Summary

Private projects are listed by the groups API without authentication.

Steps to reproduce

• create private project (for example https://gitlab.com/reproduction-group/subgroup/private)
• use groups API on parent group (for example https://gitlab.com/api/v4/groups/reproduction-group%2Fsubgroup)

What is the current bug behavior?

Private project is listed to unauthenticated user.

What is the expected correct behavior?

Private projects should only be visible to users with access to the project.

Relevant logs

curl --silent https://gitlab.com/reproduction-group/subgroup/private

<html><body>You are being <a href="https://gitlab.com/users/sign_in">redirected</a>.</body></html>

curl --silent https://gitlab.com/api/v4/groups/reproduction-group%2Fsubgroup

{
  "id": 2078135,
  "name": "subgroup",
  "path": "subgroup",
  "description": "",
  "visibility": "public",
  "ldap_cn": null,
  "ldap_access": null,
  "lfs_enabled": true,
  "avatar_url": null,
  "web_url": "https://gitlab.com/groups/reproduction-group/subgroup",
  "request_access_enabled": false,
  "full_name": "reproduction-group / subgroup",
  "full_path": "reproduction-group/subgroup",
  "parent_id": 721675,
  "projects": [
    {
      "id": 4394406,
      "description": "",
      "default_branch": null,
      "tag_list": [],
      "ssh_url_to_repo": "git@gitlab.com:reproduction-group/subgroup/private.git",
      "http_url_to_repo": "https://gitlab.com/reproduction-group/subgroup/private.git",
      "web_url": "https://gitlab.com/reproduction-group/subgroup/private",
      "name": "private",
      "name_with_namespace": "reproduction-group / subgroup / private",
      "path": "private",
      "path_with_namespace": "reproduction-group/subgroup/private",
      "star_count": 0,
      "forks_count": 0,
      "created_at": "2017-10-15T20:47:34.964Z",
      "last_activity_at": "2017-10-15T20:47:34.964Z",
      "_links": {
        "self": "http://gitlab.com/api/v4/projects/4394406",
        "issues": "http://gitlab.com/api/v4/projects/4394406/issues",
        "merge_requests": "http://gitlab.com/api/v4/projects/4394406/merge_requests",
        "repo_branches": "http://gitlab.com/api/v4/projects/4394406/repository/branches",
        "labels": "http://gitlab.com/api/v4/projects/4394406/labels",
        "events": "http://gitlab.com/api/v4/projects/4394406/events",
        "members": "http://gitlab.com/api/v4/projects/4394406/members"
      },
      "archived": false,
      "visibility": "private",
      "resolve_outdated_diff_discussions": false,
      "container_registry_enabled": true,
      "issues_enabled": true,
      "merge_requests_enabled": true,
      "wiki_enabled": true,
      "jobs_enabled": true,
      "snippets_enabled": true,
      "shared_runners_enabled": true,
      "lfs_enabled": true,
      "creator_id": 14714,
      "namespace": {
        "id": 2078135,
        "name": "subgroup",
        "path": "subgroup",
        "kind": "group",
        "full_path": "reproduction-group/subgroup",
        "parent_id": 721675
      },
      "import_status": "none",
      "avatar_url": null,
      "open_issues_count": 0,
      "public_jobs": true,
      "ci_config_path": null,
      "shared_with_groups": [],
      "only_allow_merge_if_pipeline_succeeds": false,
      "request_access_enabled": false,
      "only_allow_merge_if_all_discussions_are_resolved": false,
      "printing_merge_request_link_enabled": true,
      "approvals_before_merge": 0
    }
  ],
  "shared_projects": [],
  "shared_runners_minutes_limit": null
}