Anonymous users can't see embedded metrics in public projects when "Metrics Dashboard" visibility is "Everyone With Access"
Summary
When a public project allows "Everyone With Access" to see Metrics Dashboard
anonymous users can see the metrics via Operations > Metrics. They cannot, however, see the same metrics charts if they are being embedded in e.g. issues.
Steps to reproduce
- As an GitLab user
- Create a public project
- In project settings (Settings > General) set
Metrics Dashboard
dropdown toEveryone With Access
and save - Ensure that Metrics are shown properly in Operations > Metrics
- Create an issue and embed metrics chart (e.g.
https://gitlab.com/gitlab-org/monitor/tanuki-inc/-/environments/1118134/metrics
) - Verify that the embedded metric chart is shown
- As an anonymous user
- Verify that charts are shown properly on Operations > Metrics
✔ - View the created issue
✔ - Verify that the embedded metric chart is not shown
🚫
- Verify that charts are shown properly on Operations > Metrics
Example Project
https://gitlab.com/gitlab-org/monitor/tanuki-inc/
What is the current bug behavior?
Anonymous users cannot see the embedded metric chart; only the link. When clicking on the link they can access the "Metrics Dashboard" as expected.
What is the expected correct behavior?
Anonymous users should see the embedded metric chart.
Relevant logs and/or screenshots
Accessing https://gitlab.com/gitlab-org/monitor/tanuki-inc/-/issues/102 as
Settings > General | As project member | Anonymous |
---|---|---|
Possible fixes
Use the policy check :metrics_dashboard
(also used by "Metrics Dashboard") for inline metrics redactor filter:
diff --git a/lib/banzai/filter/inline_metrics_redactor_filter.rb b/lib/banzai/filter/inline_metrics_redactor_filter.rb
index 7f98a52d421..4c9b1578e82 100644
--- a/lib/banzai/filter/inline_metrics_redactor_filter.rb
+++ b/lib/banzai/filter/inline_metrics_redactor_filter.rb
@@ -72,7 +72,7 @@ module Banzai
[
Route.new(
::Gitlab::Metrics::Dashboard::Url.metrics_regex,
- :read_environment
+ :metrics_dashboard
),
Route.new(
::Gitlab::Metrics::Dashboard::Url.grafana_regex,