New private group name visible to users if request access is enabled

HackerOne report #712045 by ashish_r_padelkar on 2019-10-11, assigned to @jeremymatos:

Summary

Hello,

When public group has a setting enabled Allow users to request access , anyone can request access to such groups.

The problem happens when this public group becomes private, and then group changes the name. The new group name is sent to the users if their access is denied by the group owner.

Steps to reproduce

1. As a public group owner, enable Allow users to request access at https://gitlab.com/groups//-/edit#js-general-settings
2. Login as non member and request the access to above group
3. As a group owner, change the group visibility to Private and also change the group name.
4. Now deny the request access which was done by non member in step2
5. Email is sent to non member now with new group name which is private Access to the <NewPrivateGroupName> group was denied

What is the current bug behavior?

New private group name is sent through email if owner deny the access request after visibility and group name changes.

What is the expected correct behavior?

New name of the group shouldnt be visible to non members in email

Output of checks

This bug happens on GitLab.com and might be omnibus installations too!

Impact

New group name disclosure when group becomes private.

Proposal

Once a group visibility changes to Private, any access requests that are denied after that change should have a text in the email such as, Your request to access a Private Group was denied., or something similar, without calling out the updated private name of the group.