Groups API leaks private projects
Summary
Private projects are listed by the groups API without authentication.
Steps to reproduce
- create private project (for example https://gitlab.com/reproduction-group/subgroup/private)
- use groups API on parent group (for example https://gitlab.com/api/v4/groups/reproduction-group%2Fsubgroup)
What is the current bug behavior?
Private project is listed to unauthenticated user.
What is the expected correct behavior?
Private projects should only be visible to users with access to the project.
Relevant logs
curl --silent https://gitlab.com/reproduction-group/subgroup/private
<html><body>You are being <a href="https://gitlab.com/users/sign_in">redirected</a>.</body></html>
curl --silent https://gitlab.com/api/v4/groups/reproduction-group%2Fsubgroup
{
"id": 2078135,
"name": "subgroup",
"path": "subgroup",
"description": "",
"visibility": "public",
"ldap_cn": null,
"ldap_access": null,
"lfs_enabled": true,
"avatar_url": null,
"web_url": "https://gitlab.com/groups/reproduction-group/subgroup",
"request_access_enabled": false,
"full_name": "reproduction-group / subgroup",
"full_path": "reproduction-group/subgroup",
"parent_id": 721675,
"projects": [
{
"id": 4394406,
"description": "",
"default_branch": null,
"tag_list": [],
"ssh_url_to_repo": "git@gitlab.com:reproduction-group/subgroup/private.git",
"http_url_to_repo": "https://gitlab.com/reproduction-group/subgroup/private.git",
"web_url": "https://gitlab.com/reproduction-group/subgroup/private",
"name": "private",
"name_with_namespace": "reproduction-group / subgroup / private",
"path": "private",
"path_with_namespace": "reproduction-group/subgroup/private",
"star_count": 0,
"forks_count": 0,
"created_at": "2017-10-15T20:47:34.964Z",
"last_activity_at": "2017-10-15T20:47:34.964Z",
"_links": {
"self": "http://gitlab.com/api/v4/projects/4394406",
"issues": "http://gitlab.com/api/v4/projects/4394406/issues",
"merge_requests": "http://gitlab.com/api/v4/projects/4394406/merge_requests",
"repo_branches": "http://gitlab.com/api/v4/projects/4394406/repository/branches",
"labels": "http://gitlab.com/api/v4/projects/4394406/labels",
"events": "http://gitlab.com/api/v4/projects/4394406/events",
"members": "http://gitlab.com/api/v4/projects/4394406/members"
},
"archived": false,
"visibility": "private",
"resolve_outdated_diff_discussions": false,
"container_registry_enabled": true,
"issues_enabled": true,
"merge_requests_enabled": true,
"wiki_enabled": true,
"jobs_enabled": true,
"snippets_enabled": true,
"shared_runners_enabled": true,
"lfs_enabled": true,
"creator_id": 14714,
"namespace": {
"id": 2078135,
"name": "subgroup",
"path": "subgroup",
"kind": "group",
"full_path": "reproduction-group/subgroup",
"parent_id": 721675
},
"import_status": "none",
"avatar_url": null,
"open_issues_count": 0,
"public_jobs": true,
"ci_config_path": null,
"shared_with_groups": [],
"only_allow_merge_if_pipeline_succeeds": false,
"request_access_enabled": false,
"only_allow_merge_if_all_discussions_are_resolved": false,
"printing_merge_request_link_enabled": true,
"approvals_before_merge": 0
}
],
"shared_projects": [],
"shared_runners_minutes_limit": null
}
Edited by Inactive Account