Contributed projects info is still visible even user enable private profile
HackerOne report #423637 by ngalog on 2018-10-14:
Summary: From here, we know that after user enable private profile, contributed project should be hidden from public. But contributed project of user endpoint is still visible.
Steps To Reproduce:
Follow the instruction here, you will see the contributed project
Copy and paste this javascript code in gitlab.com javascript console, then you will see the info in the pop up
you can use my test account golduserngalog
a = prompt("please enter an username that enabled private profile")
$.getJSON('https://gitlab.com/users/'+a+'/contributed.json',function(data){alert(JSON.stringify(data))})
You can confirm by visiting https://gitlab.com/golduserngalog that it is really private
Impact
Contributed projects info is still visible even user enable private profile