Skip to content

Allow guest access to Releases Page

Problem to solve

Our organisation is divided into a developer team and support team. Developers have access to all code but support are just guest users and they cannot see the code. The support team have no interest in viewing the code but the releases are very important for them. They want to know all about them and currently there is no way for their access role to view the release page. We want to allow our support team to access the release pages.

At the moment, guest users are forbidden from accessing releases because the visibility is not clear. By allowing intentional access, we document what is exposed and put this decision into the project owners hands where they can make the right call.

Proposal

Guest access to releases is currently disabled due to concerns about exposing information related to the source code.

The correct order of tasks (to turn it on without security vulnerabilities) is:

  • Prevent guests from guessing tag existence via get ':id/releases/:tag_name' endpoint.
    • Deprecate get ':id/releases/:tag_name' and introduce get ':id/releases/:id'
    • The deprecated endpoint get ':id/releases/:tag_name' doesn't allow guests to access. (This endpoint is to be removed in next major version 12.0)
    • The new endpoint get ':id/releases/:id' allows guests to access
  • Fix Entities::Release not to leak repository information to guests. i.e. Add permission check to commit, tag_name attributes.
  • Revert the security fix https://gitlab.com/gitlab-org/gitlab-ce/issues/56402#note_153251645. This allows guests to read Releases API/pages.
  • Fix the sidebar for Releases page https://gitlab.com/gitlab-org/gitlab-ce/issues/56469

And now everything is the right place. Guests can access Releases page without accessing repository information.

We need to ensure that the documentation is clear what exactly guest users will get access to.

UX Proposal

  • Under Project > Settings > General > Visibility, project features, permissions add a new permission role for Release page.
  • The new permission should display: a title, a description, a toggle button.
  • UI should read:

Release page

Allow guest users to access the Release page

[Toggle button: default is OFF]

Edited by Rayana Verissimo