Can't fetch a private project avatar/badge anymore with a private_token
Summary
Project avatars for private projects can't be fetched when you're not logged in. Before, you could still access a project avatar supplying a ?private_token= like so:
https://gitlab.com/uploads/-/system/project/avatar/---project-id---/---image---.png?private_token=---personal-access-token---
Using a personal access token with read_repository permission, allowed you to fetch the image. This doesn't work anymore.
Note: This was working with version 11.5.0, and it broke with the security updates in 11.5.1
Same goes for project badges.
Why
My project CIMonitor is showing a list of all pipelines/builds, using the project.avatar_url pushed by a GitLab webhook. This is super awesome, except that nobody can access images for private projects.
Steps to reproduce / current bug behavior
- Copy the link of a project avatar for a private project
- Open the avatar in an incognito window, see that you need to log in first
- Add
?private_token=personal-access-tokento the image URL, replacing thepersonal-access-tokenfor an actual personal access token withread_repositorypermission. Note: That user MUST have read access to the project! - See that you still can't access the image
What is the expected correct behavior?
- Copy the link of a project avatar for a private project
- Open the avatar in an incognito window, see that you need to log in first
- Add
?private_token=personal-access-tokento the image url, replacing thepersonal-access-tokenfor an actual personal access token withread_repositorypermission. Note: That user MUST have read access to the project! - See that you can view the image
Implementation Guide
Proposed Fix
Provide a download API v4 endpoint for project avatar. This download API v4 endpoint would be then be usable by a Personal Access Token. Update avatar_url that is returned by Project API