User with Guest permissions has API access to project properties
Summary
A user with Guest permissions can retrieve project properties when using a PAT with API scope
Steps to reproduce
- Add a user with "Guest" role to a private project
- Create a Personal Access Token for that user with the API scope
- Make an API request to the project, i.e curl --header "PRIVATE-TOKEN: glpat-TOKEN" "https://gitlab.com/api/v4/projects/PROJECT_ID"
Example Project
What is the current bug behavior?
I retrieved the following information
{"id":53261191,"description":null,"name":"ci-rules-tests","name_with_namespace":"asalii Ultimate Group / ci-rules-tests","path":"ci-rules-tests","path_with_namespace":"asalii_ultimate_group/ci-rules-tests","created_at":"2023-12-21T13:17:50.697Z","tag_list":[],"topics":[],"ssh_url_to_repo":"git@gitlab.com:asalii_ultimate_group/ci-rules-tests.git","http_url_to_repo":"https://gitlab.com/asalii_ultimate_group/ci-rules-tests.git","web_url":"https://gitlab.com/asalii_ultimate_group/ci-rules-tests","avatar_url":null,"star_count":0,"last_activity_at":"2024-02-23T12:13:35.961Z","namespace":{"id":70922380,"name":"asalii Ultimate Group","path":"asalii_ultimate_group","kind":"group","full_path":"asalii_ultimate_group","parent_id":null,"avatar_url":null,"web_url":"https://gitlab.com/groups/asalii_ultimate_group"},"container_registry_image_prefix":"registry.gitlab.com/asalii_ultimate_group/ci-rules-tests","_links":{"self":"https://gitlab.com/api/v4/projects/53261191","issues":"https://gitlab.com/api/v4/projects/53261191/issues","merge_requests":"https://gitlab.com/api/v4/projects/53261191/merge_requests","repo_branches":"https://gitlab.com/api/v4/projects/53261191/repository/branches","labels":"https://gitlab.com/api/v4/projects/53261191/labels","events":"https://gitlab.com/api/v4/projects/53261191/events","members":"https://gitlab.com/api/v4/projects/53261191/members","cluster_agents":"https://gitlab.com/api/v4/projects/53261191/cluster_agents"},"packages_enabled":true,"empty_repo":false,"archived":false,"visibility":"private","resolve_outdated_diff_discussions":false,"container_expiration_policy":{"cadence":"1d","enabled":false,"keep_n":10,"older_than":"90d","name_regex":".*","name_regex_keep":null,"next_run_at":"2023-12-22T13:17:50.735Z"},"repository_object_format":"sha1","issues_enabled":true,"merge_requests_enabled":true,"wiki_enabled":true,"jobs_enabled":true,"snippets_enabled":true,"container_registry_enabled":true,"service_desk_enabled":true,"can_create_merge_request_in":false,"issues_access_level":"enabled","repository_access_level":"enabled","merge_requests_access_level":"enabled","forking_access_level":"enabled","wiki_access_level":"enabled","builds_access_level":"enabled","snippets_access_level":"enabled","pages_access_level":"private","analytics_access_level":"enabled","container_registry_access_level":"enabled","security_and_compliance_access_level":"private","releases_access_level":"enabled","environments_access_level":"enabled","feature_flags_access_level":"enabled","infrastructure_access_level":"enabled","monitor_access_level":"enabled","model_experiments_access_level":"enabled","model_registry_access_level":"enabled","emails_disabled":false,"emails_enabled":true,"shared_runners_enabled":true,"lfs_enabled":true,"creator_id":4825511,"import_status":"none","open_issues_count":0,"description_html":"","updated_at":"2024-02-23T12:13:35.961Z","public_jobs":true,"shared_with_groups":[],"only_allow_merge_if_pipeline_succeeds":false,"allow_merge_on_skipped_pipeline":null,"request_access_enabled":true,"only_allow_merge_if_all_discussions_are_resolved":false,"remove_source_branch_after_merge":true,"printing_merge_request_link_enabled":true,"merge_method":"merge","squash_option":"default_off","enforce_auth_checks_on_uploads":true,"suggestion_commit_message":null,"merge_commit_template":null,"squash_commit_template":null,"issue_branch_template":null,"warn_about_potentially_unwanted_characters":true,"autoclose_referenced_issues":true,"approvals_before_merge":0,"mirror":false,"external_authorization_classification_label":"","marked_for_deletion_at":null,"marked_for_deletion_on":null,"requirements_enabled":true,"requirements_access_level":"enabled","security_and_compliance_enabled":true,"compliance_frameworks":[],"issues_template":null,"merge_pipelines_enabled":false,"merge_trains_enabled":false,"merge_trains_skip_train_allowed":false,"only_allow_merge_if_all_status_checks_passed":false,"allow_pipeline_trigger_approve_deployment":false,"prevent_merge_without_jira_issue":false,"permissions":{"project_access":null,"group_access":{"access_level":10,"notification_level":3}}}%
What is the expected correct behavior?
The response shouldn't contain project properties that aren't intended for the Guest users
Relevant logs and/or screenshots
This was tested with the Service Account, and with the Human Account. Also, tested with direct membership in the project and inherited from the parent group.