Unable to download Evidence collection (#208397) · Issues · GitLab.org / GitLab

Unable to download Evidence collection

Summary

Downloading the Evidence collection on the Releases-page (Project overview -> Releases) leads to a "Not Found"-error.

The problem is that we require a lot of permissions to view release evidence:

    condition(:allowed_to_read_evidence) do
      can?(:read_release) &&
        can?(:download_code) &&
        can?(:read_project) &&
        can?(:read_milestone) &&
        can?(:read_issue)
    end

If the user can't view one of those, it can't download the release evidence. The easiest way to reproduce this - disable the issue tracker on the project.

Steps to reproduce

Log into Gitlab
Go to "Project overview" -> "Releases" of any project
Click on the linked file under "Evidence collection"

What is the current bug behavior?

"Not Found"-error

What is the expected correct behavior?

Downloaded JSON-file

Relevant logs and/or screenshots

https://www.example.com/MYNAMESPACE/MYPROJECT/-/releases/MYTAG/evidence.json

Started GET "/MYNAMESPACE/MYPROJECT/-/releases/MYTAG/evidence.json" for 1.2.3.4 at 2020-02-27 17:54:23 +0100
Processing by Projects::ReleasesController#evidence as JSON
  Parameters: {"namespace_id"=>"MYNAMESPACE", "project_id"=>"MYPROJECT", "tag"=>"MYTAG"}
Filter chain halted as :authorize_read_release_evidence! rendered or redirected
Completed 404 Not Found in 15ms (ActiveRecord: 1.5ms | Elasticsearch: 0.0ms | Allocations: 9755)

Results of GitLab environment info

Expand for output related to GitLab environment info

System information System: Current User: git Using RVM: no Ruby Version: 2.6.5p114 Gem Version: 2.7.10 Bundler Version:1.17.3 Rake Version: 12.3.3 Redis Version: 5.0.7 Git Version: 2.24.1 Sidekiq Version:5.2.7 Go Version: unknown

GitLab information Version: 12.8.1 Revision: d18b43a5f5a Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 11.7 Using LDAP: yes Using Omniauth: yes Omniauth Providers:

GitLab Shell Version: 11.0.0 Repository storage paths: default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git

Proposed solution

Don't show release evidence link if the user has no access to view release evidence content.

### Summary

Downloading the Evidence collection on the Releases-page (Project overview -> Releases) leads to a "Not Found"-error.

The problem is that we require a lot of permissions to view release evidence:

```
    condition(:allowed_to_read_evidence) do
      can?(:read_release) &&
        can?(:download_code) &&
        can?(:read_project) &&
        can?(:read_milestone) &&
        can?(:read_issue)
    end
```

If the user can't view one of those, it can't download the release evidence. The easiest way to reproduce this - disable the issue tracker on the project.

### Steps to reproduce

1. Log into Gitlab
2. Go to "Project overview" -> "Releases" of any project
3. Click on the linked file under "Evidence collection"

### What is the current *bug* behavior?

"Not Found"-error

### What is the expected *correct* behavior?

Downloaded JSON-file

### Relevant logs and/or screenshots

https://www.example.com/MYNAMESPACE/MYPROJECT/-/releases/MYTAG/evidence.json

```
Started GET "/MYNAMESPACE/MYPROJECT/-/releases/MYTAG/evidence.json" for 1.2.3.4 at 2020-02-27 17:54:23 +0100
Processing by Projects::ReleasesController#evidence as JSON
  Parameters: {"namespace_id"=>"MYNAMESPACE", "project_id"=>"MYPROJECT", "tag"=>"MYTAG"}
Filter chain halted as :authorize_read_release_evidence! rendered or redirected
Completed 404 Not Found in 15ms (ActiveRecord: 1.5ms | Elasticsearch: 0.0ms | Allocations: 9755)
```
#### Results of GitLab environment info

<details>
<summary>Expand for output related to GitLab environment info</summary>
<pre>
System information
System:
Current User:   git
Using RVM:      no
Ruby Version:   2.6.5p114
Gem Version:    2.7.10
Bundler Version:1.17.3
Rake Version:   12.3.3
Redis Version:  5.0.7
Git Version:    2.24.1
Sidekiq Version:5.2.7
Go Version:     unknown

GitLab information
Version:        12.8.1
Revision:       d18b43a5f5a
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     11.7
Using LDAP:     yes
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version:        11.0.0
Repository storage paths:
default:      /var/opt/gitlab/git-data/repositories
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell
Git:            /opt/gitlab/embedded/bin/git
</pre>
</details>

### Proposed solution