Discrepancy between repository API and UI

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Summary

When a user does not have access to a project's repository, the UI returns a 404 message. This does not reveal information about weather the resource exists or not.

When the same user calls the API, they will get a 403 message. This divulges the fact that the resource is there, but cannot be accessed.

Steps to reproduce

Create a GitLab project.
Add a user as Guest
Try to access the project repository using the UI -> 404 is displayed
Try to access the project repository using the API -> 403 is displayed

Example Project

What is the current bug behavior?

What is the expected correct behavior?

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info


(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

Edited Jun 30, 2025 by 🤖 GitLab Bot 🤖