MR security reports are available to everyone

Summary

MR security reports are available to everyone including not logged-in users.

Steps to reproduce

Visit MR security report URL in an incognito window(e.g. !109202 (closed)).

Example Project

gitlab.org/gitlab

What is the current bug behavior?

Reports are available to everyone.

What is the expected correct behavior?

Reports should be available to developers and above.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info


(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

Edited Feb 21, 2023 by Neil McCorrison