Non-image attachments uploaded to confidential issues in public projects are viewable without authentication via direct link
Summary
Direct links to attachments in confidential issues (either description or discussions) are accessible and viewable without authentication.
This was reported by (Zendesk, internal use) a 260-seat starter customer.
I'm actually not sure if this is intended or is a bug, but I'm filing as a bug out of an abundance of caution. It does feel like the customer's expectation would be that everything in a confidential issue should be confidential.
Steps to reproduce
- Set an issue to confidential
- Upload some attachments
- Use incognito mode to access the direct link to the attachments
Example Project
https://gitlab.com/gitlab-com/support/support-team-meta/issues/1752
What is the current bug behavior?
Direct links to attachments in confidential issues (either description or discussions) are accessible and viewable without authentication.
What is the expected correct behavior?
Direct links to attachments in confidential issues (either description or discussions) should not be accessible and viewable without authentication.
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)
Output of checks
This bug happens on GitLab.com.
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)