Raw private snippets that are not linked to a project can be viewed while logged out

GitLab version: 8.2.1-ee (GitLab.com)
Zendesk ticket: https://gitlab.zendesk.com/agent/tickets/12609

Description of issue

Take this snippet as an example: https://gitlab.com/snippets/10934/raw

If you are logged in, you will receive a 404, as expected, but if you are complete logged out of the system, you will be able to see the raw contents of the snippet, without being prompted to login.

If you remove the /raw part of the link, you will be redirected to the login screen, as expected, so this only affects the raw view of the snippet.

Result of replication

Just as described.

Concrete questions / Next steps

This should not be the case. It looks like the bug was introduced with this commit c8fe4215

Line 85 should read:

PersonalSnippet.are_public.find(params[:id])

And not:

PersonalSnippet.find(params[:id])

/cc @JobV @DouweM

Edited Jan 19, 2023 by 🤖 GitLab Bot 🤖