Pipeline status of related merge request of issue is visible for non members despite settings

HackerOne report #587945 by ashish_r_padelkar on 2019-05-22, assigned to jritchey:

Summary

Hello,

With introduction of https://about.gitlab.com/2019/05/22/gitlab-11-11-released/#more-details-for-related-merge-requests , It is possible to see the pipeline status of merge requests associated with issues when we have below settings for the public projects

Steps to reproduce

1. As an owner of public projects, set the settings shown in above screen shot. I.e set pipelines as Only Project Members

2. Now any authenticated/ non member can navigate to an issue where there are related merge requests exists.

3. You should see the pipeline status of such merge requests despite the Only Project Members settings!

What is the current bug behavior?

Pipeline status of related merge requests in issues are visible!

What is the expected correct behavior?

Pipeline status should not be visible if the settings are Only Project Members in public projects

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too!

Regards,
Ashish

Impact

Pipeline status of related merge requests are visible for non members

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2019-05-23_at_00.17.09.png
• Screenshot_2019-05-23_at_00.20.49.png