Project reporters(and above) can see confidential EPIC attached to confidential issues
The feature allows EPIC to be confidential which can only contain confidential issues.
When confidential issue is attached to confidential issues, the EPIC title is visible to Reporters of the projects which are given permissions only at project level.
Steps to reproduce
- Create a group and confidential EPIC.
- Create a project and confidential Issue.
- Attach a confidential EPIC to confidential issue.
- Give user a reporter access only at Project level.
- Directly visit the confidential issue and you should see a EPIC title which is confidential. This title shouldn't be visible because user doesn't have access at group level directly.
What is the current bug behavior?
Confidential EPIC titles are visible to users having direct access at project level (reporters and above) without having access at group level.
What is the expected correct behavior?
EPIC shouldn't be visible to the users without having access at group level (reporters and above)
Output of checks
This bug happens on GitLab.com
Confidential EPIC titles visible attached to confidential issues for project members (reporters and above)