Prevent disclosing project milestone titles

Prevent unauthorized users having access to milestone titles
through autocomplete endpoint.

app/controllers/projects/autocomplete_sources_controller.rb

 # frozen_string_literal: true
 
 class Projects::AutocompleteSourcesController < Projects::ApplicationController
+  before_action :authorize_read_milestone!, only: :milestones
+
   def members
     render json: ::Projects::ParticipantsService.new(@project, current_user).execute(target)
   end

changelogs/unreleased/security-issue_54789_2.yml

+---
+title: Do not disclose milestone titles for unauthorized users
+merge_request:
+author:
+type: security

spec/controllers/projects/autocomplete_sources_controller_spec.rb

@@ -35,4 +35,35 @@ describe Projects::AutocompleteSourcesController do
                                                  avatar_url: user.avatar_url)
     end
   end
+
+  describe 'GET milestones' do
+    let(:group) { create(:group, :public) }
+    let(:project) { create(:project, :public, namespace: group) }
+    let!(:project_milestone) { create(:milestone, project: project) }
+    let!(:group_milestone) { create(:milestone, group: group) }
+
+    before do
+      sign_in(user)
+    end
+
+    it 'lists milestones' do
+      group.add_owner(user)
+
+      get :milestones, format: :json, params: { namespace_id: group.path, project_id: project.path }
+
+      milestone_titles = json_response.map { |milestone| milestone["title"] }
+      expect(milestone_titles).to match_array([project_milestone.title, group_milestone.title])
+    end
+
+    context 'when user cannot read project issues and merge requests' do
+      it 'renders 404' do
+        project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
+        project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
+
+        get :milestones, format: :json, params: { namespace_id: group.path, project_id: project.path }
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+  end
 end