Group Search API for `Users` scope lists all the members from private projects/subgroups

HackerOne report #641896 by ashish_r_padelkar on 2019-07-12, assigned to akelly:

Summary

Hello,

It is possible for anyone to get list of private project members if they are in any public group. The group search api for users scope retrieves all the members from the private group, private sub group etc.

Steps to reproduce

1. Create a public group
2. Create a private project/sub group inside it and have some unique members added here which are not added at group level.
3. Login as non member of the group and run the below API

https://gitlab.com/api/v4/groups/<Group_ID>/search?scope=users&search=  

4. This will list the members from the private group too!

What is the current bug behavior?

Retrieves all the members in group including the members from private projects!

What is the expected correct behavior?

Only public group/project members should be listed when user doesnt have access to private projects or sub groups

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too!

Regards,
Ashish

Impact

Group Search API for Users scope lists all the members from private projects/subgroups