Private token support for raw URLs

Summary

Private access tokens don't authorize users for raw URLs of files in private repositories. But some people said PATs were valid for private raw URLs as well. I'd like to confirm if PATs could actulally work in such a way in the current version of GitLab.

I personally think it would be nice if PATs could cover private raw URLs which end users could easily acquire by GitLab's "Open raw" button. Project's deploy tokens should also be capable of this so that users could avoid exposing whole permissions with their PATs.

Steps to reproduce

  1. Get a raw URL of any file in any private project: https://gitlab.com/yaegashi/rawtest1/raw/master/hello.txt for example

  2. Acquire a private access token with api scope: XXXXXXXX for example

  3. Attempt to download the URL with the private access token:

     curl -v https://gitlab.com/yaegashi/rawtest1/raw/master/hello.txt?private_token=XXXXXXXX

I've confirmed the private access token above expectedly worked for /api endpoint.

$ curl 'https://gitlab.com/api/v4/projects/yaegashi%2Frawtest1/repository/files/hello.txt/raw?ref=master&private_token=XXXXXXXX'
Hello, world.

Example Project

I've tested with https://gitlab.com/yaegashi/rawtest1 but it's a private project.

What is the current bug behavior?

curl returns 302 Found and redirects user to the sign in page:

<html><body>You are being <a href="https://gitlab.com/users/sign_in">redirected</a>.</body></html>

What is the expected correct behavior?

curl returns 200 OK and the content of the file:

Hello, world.

Relevant logs and/or screenshots

None

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

None