MR security reports are available to everyone
Summary
MR security reports are available to everyone including not logged-in users.
Steps to reproduce
Visit MR security report URL in an incognito window(e.g. !109202 (closed)).
Example Project
gitlab.org/gitlab
What is the current bug behavior?
Reports are available to everyone.
What is the expected correct behavior?
Reports should be available to developers and above.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Edited by Neil McCorrison