Fix job artifact download API using job token
What does this MR do and why?
Fix job artifact download API using job token.
Before this change, a request to download job artifact using the Get Job Artifacts API using a job token would fail.
GET /projects/:id/jobs/:job_id/artifacts
The correct behaviour should be as follows.
- Given 1 project with 2 jobs (
projA/job1
,projA/job2
), whenprojA/job2
token is used to requestprojA/job1
artifacts, then it is allowed to download. - Given 2 projects with 1 job each (
projA/job1
,projB/job2
), andprojA
has licensed featurecross_project_pipelines
, whenprojB/job2
token is used to requestprojA/job1
artifacts, then it is allowed to download. - Given 2 projects with 1 job each (
projA/job1
,projB/job2
), andprojB
has licensed featurecross_project_pipelines
, whenprojB/job2
token is used to requestprojA/job1
artifacts, then it is NOT allowed to download. - Given 2 projects with 1 job each (
projA/job1
,projB/job2
), whenprojB/job2
token is used to requestprojA/job1
artifacts, then it is NOT allowed to download.
Caveat: the job whose token is used to authenticate the request must be in :running
state, otherwise the request will be rejected with 401 forbidden. This is a prerequisite for any job token authentication in the Job Artifacts API.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #347244 (closed)