Project Milestones Disclosed Via Groups When the Victim disabled milestones access in project settings

##Reproduction steps: Create a public group and public project. Go to public project settings and disable the project settings to members only. {F522796} If the attacker visits milestones via projects then may see 404 not found page. https://gitlab.com/victim-waka-waka/test-group-for-sharing/-/milestones/1 {F522797} But the attacker will view the project mile stones via groups. {F522798} ## Impact Attacker will view the project milestones which are disabled by the admin in project settings.