**[HackerOne report #447817](https://hackerone.com/reports/447817)** by ashish_r_padelkar on 2018-11-20: **Summary:** Hello, There is no documentation for this i guess but i assume that `Developer` and lower level users can not see list of groups that is shared in projects at `https://gitlab.com/<Project>/project_members` Here, they can only see individual members. **Description:** It is possible for users with `Developer` and lower level to see if the project is shared with groups The endpoint responsible for this is `https://gitlab.com/autocomplete/project_groups.json?project_id=<ProjectID>` This will list all the names of the group(even if private) ## Steps To Reproduce: 1. As a `Developer or lower level` role, visit `https://gitlab.com/<Project>/project_members` . You will not see groups that are shared in this project 2. Now using `https://gitlab.com/autocomplete/project_groups.json?project_id=<ProjectID>` , you can see the names! ## Supporting Material/References: I found this endpoint in autocomplete dropdown in protected branch and protected tag at `/settings/repository` in `Allowed to merge` dropdown Regards, Ashish ## Impact Guest can see groups shared in projects