Don't leak existence of group or project via search.

CHANGELOG

@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
 v 7.10.0 (unreleased)
   - Don't leak existence of project via search autocomplete.
+  - Don't leak existence of group or project via search.
   - Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
   - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
   - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)

app/controllers/search_controller.rb

@@ -3,15 +3,22 @@ class SearchController < ApplicationController
   def show
     return if params[:search].nil? || params[:search].blank?
-    @project = Project.find_by(id: params[:project_id]) if params[:project_id].present?
-    @group = Group.find_by(id: params[:group_id]) if params[:group_id].present?
+
+    if params[:project_id].present?
+      @project = Project.find_by(id: params[:project_id])
+      @project = nil unless can?(current_user, :download_code, @project)
+    end
+
+    if params[:group_id].present?
+      @group = Group.find_by(id: params[:group_id]) 
+      @group = nil unless can?(current_user, :read_group, @group)
+    end
+    
     @scope = params[:scope]
     @show_snippets = params[:snippets].eql? 'true'
     @search_results = 
       if @project
-        return access_denied! unless can?(current_user, :download_code, @project)
-
         unless %w(blobs notes issues merge_requests wiki_blobs).
           include?(@scope)
           @scope = 'blobs'