Service desk email is leaked via API for all users despite any role in the private project

HackerOne report #1360744 by gratitude101 on 2021-10-06, assigned to @cmaxim:

Report | How To Reproduce

Report

Summary

Service desk email is leaked via API for all users despite any role in a project. The documentation here says The unique internal email address is visible to project members with Maintainer (or higher) permission level in your GitLab instance but that is not the case, the email address is leaked here https://gitlab.com/api/v4/projects/[PROJECT_ID] for any user i.e., GUEST, REPORTERetc

Steps to reproduce

1. Login to gitlab and create a private project and navigate to the project.
2. Navigate to Settings ->General -> Service Desk and toggle Activate Service Desk and click Save changes
3. Now navigate to Project information -> Members and invite a user as Guest
4. Now login as Guest user and navigate to Issues -> Service Desk, the email address is not shown in the UI
5. Now navigate to https://gitlab.com/api/v4/projects/[PROJECT_ID], replace PROJECT_ID with your Project ID which you can get in the root of the project, you should see service desk email being leaked in the response.

The problem is also for public projects.

Impact

Service desk email is leaked via API for all users despite any role in the private project

What is the current bug behavior?

Service desk email is leaked via API for all users despite any role in the private project

What is the expected correct behavior?

According to the docs, the service desk email should not be leaked for any user below Maintainer role.

Output of checks

This bug happens on GitLab.com

Impact

Service desk email is leaked via API for all users despite any role in the private project despite the documentation saying the opposite

How To Reproduce

Please add reproducibility information to this section: