Skip to content

GitLab Next

Open
Created by alexgit2k@alexgit2k

Unable to download Evidence collection

Summary

Downloading the Evidence collection on the Releases-page (Project overview -> Releases) leads to a "Not Found"-error.

The problem is that we require a lot of permissions to view release evidence:

    condition(:allowed_to_read_evidence) do
      can?(:read_release) &&
        can?(:download_code) &&
        can?(:read_project) &&
        can?(:read_milestone) &&
        can?(:read_issue)
    end

If the user can't view one of those, it can't download the release evidence. The easiest way to reproduce this - disable the issue tracker on the project.

Steps to reproduce

  1. Log into Gitlab
  2. Go to "Project overview" -> "Releases" of any project
  3. Click on the linked file under "Evidence collection"

What is the current bug behavior?

"Not Found"-error

What is the expected correct behavior?

Downloaded JSON-file

Relevant logs and/or screenshots

https://www.example.com/MYNAMESPACE/MYPROJECT/-/releases/MYTAG/evidence.json

Started GET "/MYNAMESPACE/MYPROJECT/-/releases/MYTAG/evidence.json" for 1.2.3.4 at 2020-02-27 17:54:23 +0100
Processing by Projects::ReleasesController#evidence as JSON
  Parameters: {"namespace_id"=>"MYNAMESPACE", "project_id"=>"MYPROJECT", "tag"=>"MYTAG"}
Filter chain halted as :authorize_read_release_evidence! rendered or redirected
Completed 404 Not Found in 15ms (ActiveRecord: 1.5ms | Elasticsearch: 0.0ms | Allocations: 9755)

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information
System:
Current User:   git
Using RVM:      no
Ruby Version:   2.6.5p114
Gem Version:    2.7.10
Bundler Version:1.17.3
Rake Version:   12.3.3
Redis Version:  5.0.7
Git Version:    2.24.1
Sidekiq Version:5.2.7
Go Version:     unknown

GitLab information
Version:        12.8.1
Revision:       d18b43a5f5a
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     11.7
Using LDAP:     yes
Using Omniauth: yes
Omniauth Providers:


GitLab Shell
Version:        11.0.0
Repository storage paths:
default:      /var/opt/gitlab/git-data/repositories
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell
Git:            /opt/gitlab/embedded/bin/git

Proposed solution

Don't show release evidence link if the user has no access to view release evidence content.

Edited by Vladimir Shushlin