Labels visible despite no access to issues & repositories

HackerOne report #638505 by ashish_r_padelkar on 2019-07-09, assigned to akelly:

Summary

Hello,

When Public group has public project with below settings, it should not be possible to see all ts labels.

However, anyone can see the project labels using below endpoint.
https://gitlab.com/groups/newgroup_t/-/labels.json

Steps to reproduce

1. Create a public group
2. Create a public project inside group and set issues & Repository as Only Project Members Settings.
3. Login as another users, Go to group and projects and see if you can see project labels. You should not as you dont have access and you are not a team member.
4. Now directly navigate to https://gitlab.com/groups/newgroup_t/-/labels.json and you should see all labels which belongs to project which you cant access its issues & Repository.

Examples

Use this https://gitlab.com/groups/newgroup_t/-/labels.json. You will see labels from project which you cant see in UI because of permissions set on projects.

What is the current bug behavior?

Labels visible publicly despite no access to issues & Repositories of a project.

What is the expected correct behavior?

Labels should not be visible when above settings are in place for projects

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too!

Regards,
Ashish

Impact

Project Labels visible despite issue & repository permissions

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2019-07-10_at_01.08.24.png