Guest users unable to see build output in private project despite public pipelines being enabled

Summary

Our docs state that if public pipelines setting is enabled (the default) then, in private projects, any member (guest or higher) can view the pipelines and access the job details (output logs and artifacts).

Testing this in v11.5.1-ee (and later) this is not the case or is inconsistent with the eocs.

Steps to reproduce

Reproduced on v11.5.1-ee:

• Create a private project
• Check that public pipelines are enabled at Settings > CI/CD > General pipelines
• Add a user as a Guest (customer reported this for external guest users, but I tested with a regular Guest user too)
• Run a CI pipeline
• Impersonate or log in as the guest user
• Observe the guest user can't view build logs

The customer said this was working back in July, so I spun up an instance on v11.0 (released June) and permission behaved as expected. The guest user was able to view build logs.

What is the current bug behavior?

Guest user can't view build logs.

• the buttons that should lead to job logs on both the Pipelines and Jobs pages are not clickable by users with the Guest role

What is the expected correct behavior?

Guest users should be able to view build logs.

• the buttons that lead to job logs on the Pipelines and Jobs pages should be clickable by users with the Guest role

When public pipelines are enabled Guests should be able to download and browse job artifacts, view job logs and view a list of jobs as noted in the Permissions and Roles documentation.

Links

Access policies are defined in https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/policies/project_policy.rb but I have not yet tracked down the specific change between v11.0 and v 11.5.1 that caused this.

Zendesk ticket: https://gitlab.zendesk.com/agent/tickets/109770 (internal-only link)