<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=18265) </details> <!--IssueSummary end--> The `LfsRequest` controller concern used to have a lot of similarities with `Projects::GitHttpController`. `Projects::GitHttpController` was refactored to put all of the responsibility for authorization in `GitAccess`. We should do the same for `LfsRequest` for the DRY principle. Particularly because we risk being inconsistent with authorization rules. ------ This came out of the following discussion from gitlab-ce!11398: - [ ] @DouweM started a [discussion](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/11398#note_30350711): (+3 comments) > Refactoring `LfsRequest` in a similar way to this controller seems like a good idea, but it can be a separate MR.