ProjectExportWorker does not take user permissions into account
When a user schedules an export, we don't validate the permissions for that user in the ProjectExportWorker
.
This means that when a user loses access to the project, when they already scheduled the export but it hasn't started yet, we would still process the export
Further context from Marin: "Assigning highest priority and severity because this enables abusers to very easily cause a system degradation that quickly can turn into a full outage. By not losing access, this means that when a user is blocked they can continue triggering the export over and over."
Edited by GitLab SecurityBot