Admins should not have access to project/repository if they are not member of the project
Created by: zimmski
(I asked this question in the IRC but did not get any response. Internally, we marked this as a security bug.) All our projects are "private". Therefore an admin user cannot see these projects in the "explore" views but an admin user can see them in the administration area. This is afaik OK. However, if an admin user knows the group and project name the user can use the usual URIs to access the projects information. Furthermore the user can clone these repositories. We think that this should be changed, or at least it should be changeable via a configuration setting. Even an admin user should not have access (beyond the admin area) to a project if the user is not a member of the project/group of the project.