## Summary Project avatars for private projects can't be fetched when you're not logged in. Before, you could still access a project avatar supplying a `?private_token=` like so: `https://gitlab.com/uploads/-/system/project/avatar/---project-id---/---image---.png?private_token=---personal-access-token---` Using a personal access token with `read_repository` permission, allowed you to fetch the image. This doesn't work anymore. **Note:** This was working with version `11.5.0`, and it broke with the security updates in `11.5.1` Same goes for project badges. ### Why My project [CIMonitor](https://cimonitor.readthedocs.io/en/latest/services/GitLab/) is showing a list of all pipelines/builds, using the `project.avatar_url` pushed by a GitLab webhook. This is super awesome, except that nobody can access images for private projects. ### Steps to reproduce / current *bug* behavior 1. Copy the link of a project avatar for a private project 1. Open the avatar in an incognito window, see that you need to log in first 1. Add `?private_token=personal-access-token` to the image URL, replacing the `personal-access-token` for an actual personal access token with `read_repository` permission. Note: That user MUST have read access to the project! 1. See that you still can't access the image ### What is the expected *correct* behavior? 1. Copy the link of a project avatar for a private project 1. Open the avatar in an incognito window, see that you need to log in first 1. Add `?private_token=personal-access-token` to the image url, replacing the `personal-access-token` for an actual personal access token with `read_repository` permission. Note: That user MUST have read access to the project! 1. See that you can view the image ## Implementation Guide ### Proposed Fix Provide a `download` API v4 endpoint for project avatar. This `download` API v4 endpoint would be then be usable by a Personal Access Token. Update `avatar_url` that is returned by [Project API](https://docs.gitlab.com/ee/api/projects.html#get-single-project)