Unable to download Evidence collection
Summary
Downloading the Evidence collection on the Releases-page (Project overview -> Releases) leads to a "Not Found"-error.
The problem is that we require a lot of permissions to view release evidence:
condition(:allowed_to_read_evidence) do
can?(:read_release) &&
can?(:download_code) &&
can?(:read_project) &&
can?(:read_milestone) &&
can?(:read_issue)
end
If the user can't view one of those, it can't download the release evidence. The easiest way to reproduce this - disable the issue tracker on the project.
Steps to reproduce
- Log into Gitlab
- Go to "Project overview" -> "Releases" of any project
- Click on the linked file under "Evidence collection"
What is the current bug behavior?
"Not Found"-error
What is the expected correct behavior?
Downloaded JSON-file
Relevant logs and/or screenshots
https://www.example.com/MYNAMESPACE/MYPROJECT/-/releases/MYTAG/evidence.json
Started GET "/MYNAMESPACE/MYPROJECT/-/releases/MYTAG/evidence.json" for 1.2.3.4 at 2020-02-27 17:54:23 +0100
Processing by Projects::ReleasesController#evidence as JSON
Parameters: {"namespace_id"=>"MYNAMESPACE", "project_id"=>"MYPROJECT", "tag"=>"MYTAG"}
Filter chain halted as :authorize_read_release_evidence! rendered or redirected
Completed 404 Not Found in 15ms (ActiveRecord: 1.5ms | Elasticsearch: 0.0ms | Allocations: 9755)
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Current User: git Using RVM: no Ruby Version: 2.6.5p114 Gem Version: 2.7.10 Bundler Version:1.17.3 Rake Version: 12.3.3 Redis Version: 5.0.7 Git Version: 2.24.1 Sidekiq Version:5.2.7 Go Version: unknownGitLab information Version: 12.8.1 Revision: d18b43a5f5a Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 11.7 Using LDAP: yes Using Omniauth: yes Omniauth Providers:
GitLab Shell Version: 11.0.0 Repository storage paths: default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Proposed solution
Don't show release evidence link if the user has no access to view release evidence content.