Pending invitations of public groups and public projects are visible to any user
It is possible to see pending invitations of any public group or public project by visiting the API endpoint
This info is not visible in UI to guest/non members. the invites can be email Ids too, so this info shouldnt be visible to such users!
Steps to reproduce
- Go to any public group or public project and go the membership page. you only see confirmed members but wont see pending members.
- Now use below endpoints to see the pending members (invited by emails)
What is the current bug behavior?
Pending invites are visible to any user of public group/project
What is the expected correct behavior?
The pending invites shouldnt be visible to public.
Output of checks
This bug happens on GitLab.com
Pending members (including their emails) are visible to users from public group/projects
These API endpoints should apply the same authorization policy as the equivalent UI endpoints: