Restrict access to security reports when pipeline is not public

ee/app/controllers/ee/projects/merge_requests_controller.rb

@@ -18,7 +18,7 @@ module EE
 
         before_action :whitelist_query_limiting_ee_merge, only: [:merge]
         before_action :whitelist_query_limiting_ee_show, only: [:show]
-        before_action :authorize_read_pipeline!, only: [:sast_reports]
+        before_action :authorize_read_pipeline!, only: [:container_scanning_reports, :dependency_scanning_reports, :sast_reports]
       end
 
       def approve

ee/changelogs/unreleased/restrict-access-for-sec-reports.yml

+---
+title: Restrict access for security reports in MR widget
+merge_request:
+author:
+type: security

ee/spec/controllers/projects/merge_requests_controller_spec.rb

@@ -478,6 +478,21 @@ describe Projects::MergeRequestsController do
         expect(json_response).to eq({ 'status_reason' => 'Unknown error' })
       end
     end
+
+    context 'public project with private builds' do
+      let(:comparison_status) { {} }
+      let(:project) { create(:project, :public, :builds_private) }
+
+      before do
+        sign_out user
+      end
+
+      it 'restricts unauthorized access' do
+        subject
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
   end
 
   describe 'GET #container_scanning_reports' do
@@ -563,6 +578,21 @@ describe Projects::MergeRequestsController do
         expect(json_response).to eq({ 'status_reason' => 'Unknown error' })
       end
     end
+
+    context 'public project with private builds' do
+      let(:comparison_status) { {} }
+      let(:project) { create(:project, :public, :builds_private) }
+
+      before do
+        sign_out user
+      end
+
+      it 'restricts unauthorized access' do
+        subject
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
   end
 
   describe 'GET #sast_reports' do