Pending invitations of public groups and public projects are visible to any user

HackerOne report #1048259 by ashish_r_padelkar on 2020-12-01, assigned to @rchan-gitlab:

Report | How To Reproduce

Report

Summary

Hello,

It is possible to see pending invitations of any public group or public project by visiting the API endpoint https://gitlab.com/api/v4/groups/<ID>/invitations
https://gitlab.com/api/v4/projects/<ID>/invitations

This info is not visible in UI to guest/non members. the invites can be email Ids too, so this info shouldnt be visible to such users!

Steps to reproduce

1. Go to any public group or public project and go the membership page. you only see confirmed members but wont see pending members.
2. Now use below endpoints to see the pending members (invited by emails)
   https://gitlab.com/api/v4/groups/<ID>/invitations
https://gitlab.com/api/v4/projects/<ID>/invitations

What is the current bug behavior?

Pending invites are visible to any user of public group/project

What is the expected correct behavior?

The pending invites shouldnt be visible to public.

Output of checks

This bug happens on GitLab.com

Regards,
Ashish

Impact

Pending members (including their emails) are visible to users from public group/projects

Proposal

These API endpoints should apply the same authorization policy as the equivalent UI endpoints:

• https://gitlab.com/api/v4/groups/:id/invitations
• https://gitlab.com/api/v4/projects/:id/invitations