Group avatar not displayed on top-level groups for users with "Minimal Access" (HTTP 404)

Summary

Group avatars are not displayed on top-level groups where users are assigned with "Minimal Access".

A HTTP 404 error is returned while trying to fetch the related avatar.png image.

Steps to reproduce

1. Create a top-level group
2. Upload an group avatar image
3. Add another user with "Minimal Access" to the group
4. Log in as the other user and browse the groups

What is the current bug behavior?

Group avatar images are not displayed for top-level groups where users are assigned with "Minimal Access". Group names and descriptions are shown. Regardless of whether the user has higher privileges in a subgroup or not.

What is the expected correct behavior?

Group avatar images are displayed as expected, same as the group names and descriptions.

Relevant logs and/or screenshots

Log extracts with the related HTTP 404 errors:

192.0.2.123 - - [03/Sep/2025:07:56:00 +0000] "GET /uploads/-/system/group/avatar/92/avatar.png HTTP/2.0" 404 838 "https://git.example.com/dashboard/groups" "Mozilla/5.0 (X11; Linux x86_64; rv:141.0) Gecko/20100101 Firefox/141.0" 1.90

{"method":"GET","path":"/uploads/-/system/group/avatar/92/avatar.png","format":"html","controller":"UploadsController","action":"show","status":404,"time":"2025-09-03T07:56:00.390Z","params":[{"key":"model","value":"group"},{"key":"mounted_as","value":"avatar"},{"key":"id","value":"92"},{"key":"filename","value":"avatar.png"}],"correlation_id":"01K4796MRHSXJ6GMZZTA7M2V15","meta.caller_id":"UploadsController#show","meta.feature_category":"groups_and_projects","meta.organization_id":1,"meta.remote_ip":"192.0.2.123","meta.user":"example-user","meta.user_id":14,"meta.client_id":"user/14","remote_ip":"192.0.2.123","user_id":14,"username":"example-user","ua":"Mozilla/5.0 (X11; Linux x86_64; rv:141.0) Gecko/20100101 Firefox/141.0","queue_duration_s":0.031891,"request_urgency":"default","target_duration_s":1,"redis_calls":8,"redis_allowed_cross_slot_calls":1,"redis_duration_s":0.001791,"redis_read_bytes":876,"redis_write_bytes":933,"redis_db_load_balancing_calls":2,"redis_db_load_balancing_duration_s":0.000241,"redis_db_load_balancing_write_bytes":106,"redis_feature_flag_calls":3,"redis_feature_flag_duration_s":0.00073,"redis_feature_flag_read_bytes":597,"redis_feature_flag_write_bytes":210,"redis_sessions_calls":3,"redis_sessions_allowed_cross_slot_calls":1,"redis_sessions_duration_s":0.00082,"redis_sessions_read_bytes":279,"redis_sessions_write_bytes":617,"db_count":11,"db_write_count":0,"db_cached_count":0,"db_txn_count":0,"db_replica_txn_count":0,"db_primary_txn_count":0,"db_replica_count":0,"db_primary_count":11,"db_replica_write_count":0,"db_primary_write_count":0,"db_replica_cached_count":0,"db_primary_cached_count":0,"db_replica_wal_count":0,"db_primary_wal_count":0,"db_replica_wal_cached_count":0,"db_primary_wal_cached_count":0,"db_replica_txn_max_duration_s":0.0,"db_primary_txn_max_duration_s":0.0,"db_replica_txn_duration_s":0.0,"db_primary_txn_duration_s":0.0,"db_replica_duration_s":0.0,"db_primary_duration_s":0.018,"db_main_txn_count":0,"db_ci_txn_count":0,"db_main_replica_txn_count":0,"db_ci_replica_txn_count":0,"db_main_count":11,"db_ci_count":0,"db_main_replica_count":0,"db_ci_replica_count":0,"db_main_write_count":0,"db_ci_write_count":0,"db_main_replica_write_count":0,"db_ci_replica_write_count":0,"db_main_cached_count":0,"db_ci_cached_count":0,"db_main_replica_cached_count":0,"db_ci_replica_cached_count":0,"db_main_wal_count":0,"db_ci_wal_count":0,"db_main_replica_wal_count":0,"db_ci_replica_wal_count":0,"db_main_wal_cached_count":0,"db_ci_wal_cached_count":0,"db_main_replica_wal_cached_count":0,"db_ci_replica_wal_cached_count":0,"db_main_txn_max_duration_s":0.0,"db_ci_txn_max_duration_s":0.0,"db_main_replica_txn_max_duration_s":0.0,"db_ci_replica_txn_max_duration_s":0.0,"db_main_txn_duration_s":0.0,"db_ci_txn_duration_s":0.0,"db_main_replica_txn_duration_s":0.0,"db_ci_replica_txn_duration_s":0.0,"db_main_duration_s":0.018,"db_ci_duration_s":0.0,"db_main_replica_duration_s":0.0,"db_ci_replica_duration_s":0.0,"cpu_s":0.197644,"mem_objects":137570,"mem_bytes":12848360,"mem_mallocs":49046,"mem_total_bytes":18351160,"pid":1075298,"worker_id":"puma_3","rate_limiting_gates":[],"db_duration_s":0.0165,"view_duration_s":0.0,"duration_s":0.05137}

GitLab information

Tested on 17.11.2-ee and v18.3.1-ee self-managed.