repository's "public" setting is shadowed by project's "public" setting

[costela]

Hi,

I'm not sure this is a bug, but it certainly feels like one: repositories are world readable over HTTP(S) when inside of a public project, even if redmine requires authentication and the repository itself is explicitly marked as non-public.
This is a problem if, like us, you have an authenticated Redmine instance with a bunch of projects and teams, and you want to make certain projects public in order to ease intra-team collaboration (issue access, etc).
In this sense, "public" means the project will be accessible for authenticated members that aren't explicitly in any teams. However, it shouldn't automatically mean that any unauthenticated person that can guess our URL should have access to our code.

You should be able to reproduce this behavior by:

• set your installation as "authentication required"
• create a public project
• set the repository as non-public

Now you should not be able to access the project's URL without authenticating (correct), but you will be able to git clone https://... it without authentication (not correct). Cloning over SSH is not affected by this problem.

I would have expected redmine_git_hosting to either:

• respect redmine's "authentication required" setting
• or (more strict) not make a non-public repository accessible without authentication regardless of the global authentication setting

We are currently using Redmine 3.3.1 and redmine_git_hosting 1.2.2.

Am I maybe missing something?

[PowerKiKi]

As discussed in #732 (comment), issues related to Redmine < 4.0 or severely outdated issues are being closed to help clean up the issue tracker.

If this issue is still relevant to you and you are running Redmine >= 4.0, please open a new issue including all new relevant information.