[SECURITY] Project members see groups

Summary

When given a user access to a repository in a subgroup only (for example as reporter) they can also see the higher-level group.

Steps to reproduce

Add a user to a subgroups project for example as guest or reporter.

Example Project

I've tested it in my own repository. (not public)

What is the current bug behavior?

Users they only added in the repository can see the subgroup and subgroups content or members. EDIT: I've tested it also with a project that is in single in a group, the issue does also appear.

What is the expected correct behavior?

Get a 404 like trying accessing the group.

Possible fixes

Get a 404 like a page you havn't access for.