Epics with issues from private projects are viewable to users without access to the project

Summary

I have epic &376 (closed), which is in gitlab-org. This group has mostly public projects, but customers-gitlab-com is a private project for the customers app.

I was curious to see if a non-member of gitlab-org could view the issues in the epic, which are ALL in the private project.

While they could not see the individual issues, they could still access the epic and 1) verify that it exists, 2) view the name of it, and 3) read the description.

Steps to reproduce

• Create a new user on GitLab.com.
• View &376 (closed)

What is the current bug behavior?

I'm able to access the epic (but not see issues).

What is the expected correct behavior?

If my user doesn't have access to any issues in the epic, I'd expect it to 404.

Relevant logs and/or screenshots

Output of checks

This happens on GitLab.com