Project avatars not available without authenticating
Summary
The images at /uploads/system/user/avatar are available without authenticating to GitLab. The images at /uploads/system/project/avatar aren't. This causes issues with the "Mattermost Notification" Integration, as Mattermost can't embed the "Project Avatar" correctly into its output, causing a broken image to appear.
Steps to reproduce
Create a project, enable "Mattermost Notification" Integration. Trigger a failed build pipeline. This will push a Mattermost notification with an image embedded in it which Mattermost's image proxy can't access, causing the rendered output to be incorrect / undesirable.
What is the current bug behavior?
There is an inconsistency between access control in /uploads/system/user/avatar and /uploads/system/project/avatar.
What is the expected correct behavior?
Ideally, it would be nice if /uploads/system/project/avatar was available without authenticating, but it feels like they should at the very least be consistent? Or some option to toggle this on/off?
Relevant logs and/or screenshots
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Debian 9.13 Proxy: no Current User: git Using RVM: no Ruby Version: 2.6.6p146 Gem Version: 2.7.10 Bundler Version:1.17.3 Rake Version: 12.3.3 Redis Version: 5.0.9 Git Version: 2.28.0 Sidekiq Version:5.2.9 Go Version: unknown GitLab information Version: 13.5.1-ee Revision: a4cc9d130dd Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 11.9 URL: https://git.xxxxx HTTP Clone URL: https://git.xxxxx/some-group/some-project.git SSH Clone URL: git@git.xxxxx:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: yes Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 13.11.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.11.0 ? ... OK (13.11.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 53 users of 100 limit.
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 12/7 ... yes 12/8 ... yes 16/9 ... yes 12/10 ... yes 12/11 ... yes 16/12 ... yes 16/13 ... yes 16/14 ... yes 12/20 ... yes 12/21 ... yes 23/24 ... yes 16/26 ... yes 16/27 ... yes 12/28 ... yes 63/29 ... yes 12/30 ... yes 12/31 ... yes 11/34 ... yes 63/36 ... yes 63/38 ... yes 12/39 ... yes 37/49 ... yes 37/82 ... yes 37/83 ... yes 37/84 ... yes 37/85 ... yes 37/86 ... yes 37/87 ... yes 37/88 ... yes 37/89 ... yes 37/90 ... yes 37/91 ... yes 37/92 ... yes 37/93 ... yes 37/94 ... yes 37/95 ... yes 37/96 ... yes 37/97 ... yes 37/98 ... yes 37/99 ... yes 37/100 ... yes 37/101 ... yes 37/102 ... yes 37/103 ... yes 37/104 ... yes 37/105 ... yes 37/106 ... yes 37/107 ... yes 37/108 ... yes 37/109 ... yes 37/110 ... yes 37/112 ... yes 40/113 ... yes 37/114 ... yes 31/115 ... yes 12/116 ... yes 46/117 ... yes 46/118 ... yes 46/119 ... yes 46/120 ... yes 46/121 ... yes 46/122 ... yes 46/123 ... yes 46/124 ... yes 46/125 ... yes 46/126 ... yes 46/127 ... yes 46/128 ... yes 46/129 ... yes 46/130 ... yes 46/131 ... yes 46/132 ... yes 46/133 ... yes 46/134 ... yes 46/135 ... yes 46/136 ... yes 46/137 ... yes 46/138 ... yes 46/139 ... yes 46/140 ... yes 46/141 ... yes 46/142 ... yes 46/143 ... yes 46/144 ... yes 46/145 ... yes 46/146 ... yes 46/147 ... yes 46/148 ... yes 46/149 ... yes 46/150 ... yes 46/151 ... yes 46/152 ... yes 46/153 ... yes 46/154 ... yes 46/155 ... yes 46/156 ... yes 46/157 ... yes 46/158 ... yes 46/159 ... yes 46/160 ... yes 46/161 ... yes 46/162 ... yes 46/163 ... yes 46/164 ... yes 40/166 ... yes 40/167 ... yes 12/168 ... yes 40/169 ... yes 12/173 ... yes 12/175 ... yes 12/176 ... yes 5/177 ... yes 12/178 ... yes 37/179 ... yes 49/180 ... yes 37/181 ... yes 49/182 ... yes 12/183 ... yes 12/185 ... yes 40/186 ... yes 53/197 ... yes 53/198 ... yes 53/199 ... yes 53/200 ... yes 53/201 ... yes 53/202 ... yes 42/203 ... yes 51/204 ... yes 51/205 ... yes 51/206 ... yes 51/207 ... yes 51/208 ... yes 51/209 ... yes 51/210 ... yes 51/211 ... yes 51/212 ... yes 51/213 ... yes 51/214 ... yes 51/215 ... yes 51/216 ... yes 51/217 ... yes 51/218 ... yes 42/219 ... yes 42/220 ... yes 54/221 ... yes 12/222 ... yes 54/223 ... yes 55/224 ... yes 57/226 ... yes 40/227 ... yes 37/228 ... yes 4/229 ... yes 37/230 ... yes 49/232 ... yes 5/233 ... yes 5/234 ... yes 12/235 ... yes 63/236 ... yes 40/237 ... yes 40/238 ... yes 40/239 ... yes 40/240 ... yes 24/241 ... yes 24/243 ... yes 24/244 ... yes 24/245 ... yes 24/246 ... yes 24/247 ... yes 24/248 ... yes 24/249 ... yes 24/251 ... yes 24/252 ... yes 24/254 ... yes 24/255 ... yes 24/256 ... yes 24/257 ... yes 24/258 ... yes 24/259 ... yes 24/260 ... yes 24/261 ... yes 24/262 ... yes 24/264 ... yes 24/265 ... yes 24/269 ... yes 40/270 ... yes 40/271 ... yes 40/272 ... yes 40/273 ... yes 40/275 ... yes 63/277 ... yes 24/278 ... yes 12/279 ... yes 24/280 ... yes 40/281 ... yes 40/282 ... yes 42/289 ... yes 42/290 ... yes 42/291 ... yes 42/292 ... yes 42/293 ... yes 42/294 ... yes 42/295 ... yes 24/296 ... yes 40/297 ... yes 24/298 ... yes 40/299 ... yes 40/300 ... yes 40/301 ... yes 40/302 ... yes 40/303 ... yes 40/304 ... yes 12/306 ... yes 40/307 ... yes 40/308 ... yes 40/309 ... yes 12/310 ... yes 40/311 ... yes 40/312 ... yes 40/313 ... yes 40/314 ... yes 40/315 ... yes 40/316 ... yes 40/317 ... yes 40/318 ... yes 40/319 ... yes 40/320 ... yes 40/321 ... yes 40/322 ... yes 40/323 ... yes 40/324 ... yes 40/325 ... yes 40/326 ... yes 40/327 ... yes 40/328 ... yes 40/329 ... yes 42/330 ... yes 42/331 ... yes 31/332 ... yes 40/333 ... yes 37/334 ... yes 40/335 ... yes 31/336 ... yes 24/337 ... yes 31/338 ... yes 40/339 ... yes 40/340 ... yes 42/341 ... yes 40/342 ... yes 42/343 ... yes 12/344 ... yes 56/345 ... yes 40/346 ... yes 12/347 ... yes 40/348 ... yes 40/349 ... yes 12/350 ... yes 63/351 ... yes 49/352 ... yes 40/353 ... yes 46/354 ... yes 46/355 ... yes 40/356 ... yes 51/357 ... yes 12/358 ... yes 37/359 ... yes 12/361 ... yes 5/362 ... yes 46/365 ... yes 40/366 ... yes 12/369 ... yes 46/370 ... yes 40/371 ... yes 37/372 ... yes 37/374 ... yes 37/375 ... yes 12/376 ... yes 24/377 ... yes 12/381 ... yes 63/382 ... yes 63/383 ... yes 24/384 ... yes 24/385 ... yes 24/386 ... yes 24/387 ... yes 24/388 ... yes 74/389 ... yes 24/390 ... yes 37/392 ... yes 24/394 ... yes 5/395 ... yes 24/396 ... yes 24/397 ... yes 56/398 ... yes 40/402 ... yes 51/403 ... yes 2/404 ... yes 40/405 ... yes 5/406 ... yes 63/407 ... yes 50/408 ... yes 46/409 ... yes 46/411 ... yes 46/412 ... yes 40/413 ... yes 54/414 ... yes 63/416 ... yes 12/417 ... yes 24/418 ... yes 51/419 ... yes 23/420 ... yes 40/421 ... yes 63/422 ... yes 40/423 ... yes 24/424 ... yes 12/426 ... yes 4/427 ... yes 11/428 ... yes Redis version >= 4.0.0? ... yes Ruby version >= 2.5.3 ? ... yes (2.6.6) Git version >= 2.24.0 ? ... yes (2.28.0) Git user has default SSH configuration? ... yes Active users: ... 37 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 6.x - 7.x? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
Make the images in /uploads/system/project/avatar accessible without authenticating to GitLab first.
Activity
mentioned in issue gitlab-org/quality/triage-reports#650 (closed)
added devopsmanage groupauthentication and authorization [DEPRECATED] mattermost severity3 typebug + 1 deleted label
mentioned in issue gitlab-org/quality/triage-reports#662 (closed)
mentioned in issue gitlab-org/quality/triage-reports#670 (closed)
mentioned in issue gitlab-org/quality/triage-reports#703 (closed)
added sectiondev label
mentioned in issue gitlab-org/quality/triage-reports#791 (closed)
mentioned in issue gitlab-org/quality/triage-reports#875 (closed)
mentioned in issue gitlab-org/quality/triage-reports#974 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1051 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1105 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1198 (closed)
changed milestone to %Backlog
added customer label
added IntegrationMattermost label
added notifications label
Ultimate customer (<- internal-only link) is experiencing this issue and is requesting that this bug be addressed.
added [deprecated] Accepting merge requests label
added vintage label
added Category:System Access label
added devopsgovern sectionsec labels and removed devopsmanage sectiondev labels
added groupauthentication label and removed groupauthentication and authorization [DEPRECATED] label
added SLOMissed label
