Allow guest access to Releases Page
Problem to solve
Our organisation is divided into a developer team and support team. Developers have access to all code but support are just guest users and they cannot see the code. The support team have no interest in viewing the code but the releases are very important for them. They want to know all about them and currently there is no way for their access role to view the release page. We want to allow our support team to access the release pages.
At the moment, guest users are forbidden from accessing releases because the visibility is not clear. By allowing intentional access, we document what is exposed and put this decision into the project owners hands where they can make the right call.
Proposal
Guest access to releases is currently disabled due to concerns about exposing information related to the source code.
The correct order of tasks (to turn it on without security vulnerabilities) is:
- Prevent guests from guessing tag existence via
get ':id/releases/:tag_name'endpoint.- Deprecate
get ':id/releases/:tag_name'and introduceget ':id/releases/:id' - The deprecated endpoint
get ':id/releases/:tag_name'doesn't allow guests to access. (This endpoint is to be removed in next major version 12.0) - The new endpoint
get ':id/releases/:id'allows guests to access
- Deprecate
- Fix
Entities::Releasenot to leak repository information to guests. i.e. Add permission check tocommit,tag_nameattributes. - Revert the security fix https://gitlab.com/gitlab-org/gitlab-ce/issues/56402#note_153251645. This allows guests to read Releases API/pages.
- Fix the sidebar for Releases page https://gitlab.com/gitlab-org/gitlab-ce/issues/56469
And now everything is the right place. Guests can access Releases page without accessing repository information.
We need to ensure that the documentation is clear what exactly guest users will get access to.
UX Proposal
- Under
Project > Settings > General > Visibility, project features, permissionsadd a new permission role for Release page. - The new permission should display: a title, a description, a toggle button.
- UI should read:
Release page
Allow guest users to access the Release page
[Toggle button: default is OFF]