Don't leak existence of group or project via search.

2 files changed, 12 insertions, 4 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 0a61fee1cb2..adb19118443 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.10.0 (unreleased)
   - Don't leak existence of project via search autocomplete.
+  - Don't leak existence of group or project via search.
   - Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
   - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
   - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index 16a5ee2ae35..c5828d0b2df 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -3,15 +3,22 @@ class SearchController < ApplicationController
 
   def show
     return if params[:search].nil? || params[:search].blank?
-    @project = Project.find_by(id: params[:project_id]) if params[:project_id].present?
-    @group = Group.find_by(id: params[:group_id]) if params[:group_id].present?
+
+    if params[:project_id].present?
+      @project = Project.find_by(id: params[:project_id])
+      @project = nil unless can?(current_user, :download_code, @project)
+    end
+
+    if params[:group_id].present?
+      @group = Group.find_by(id: params[:group_id]) 
+      @group = nil unless can?(current_user, :read_group, @group)
+    end
+    
     @scope = params[:scope]
     @show_snippets = params[:snippets].eql? 'true'
 
     @search_results = 
       if @project
-        return access_denied! unless can?(current_user, :download_code, @project)
-
         unless %w(blobs notes issues merge_requests wiki_blobs).
           include?(@scope)
           @scope = 'blobs'