Private group names are exposed to non-members - Groups tab
- Create a public project
- Go to Members page. Invite a group, select a private group
- Log out. Go to the members page. You can see the private group name in the Groups tab
What I see
The private group name, and path is shown on the Members page
What I expect to see
The private group is now shown at all on the Members page for unauthorized users or users without access to the private group.
Here are the mockups from @ameliabauerly (#387603 (comment 1446372784), #387603 (comment 1447280926)):
Implementation plan
- Ensure private group names are hidden from unauthorized users
- Ensure this is implemented both for the group tab on the group and project members page
- This change should be documented in the docs as part of implementing this issue
/cc @lohrc @gitlab-com/gl-security/appsec @alexpooley @lciutacu
Edited by Thong Kuah