We have functionality introduced by https://gitlab.com/gitlab-org/gitlab/-/merge_requests/96503 and https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107363 that authorised resources before being exported. For example, an issue's epic or notes might not be visible to the exporting user (despite being an owner of the project) so they are filtered before generating the export upload. Given this authorization is performed for the exporting user, by allowing the file to be downloaded by other users, we are potentially exposing inaccessible resources. ### How to replicate - With `User A` create two privates groups `group-to-export` and `external-group` - Create an epic in each group and assign the one in `group-to-export` as a child epic of the one in `external-group` - Visit (Group -> Settings -> General -> Advanced) and export `group-to-export`. - Download the file and find `epics.ndjson`. The epic parent should be visible - Invite another user `User B` to `group-to-export` and assign it the `owner` role. - Log in as `User B` and visit the epic in `group-to-export`. The epic's parent (in the right sidebar) is not visible. - Visit the export page and download the file again. Open `epics.ndjson` that includes the epic's parent information.