• Krasimir Angelov's avatar
    Allow guests users to access project releases · 241ba4be
    Krasimir Angelov authored
    This is step one of resolving
    https://gitlab.com/gitlab-org/gitlab-ce/issues/56838.
    
    Here is what changed:
    - Revert the security fix from bdee9e84.
    - Do not leak repository information (tag name, commit) to guests in API
    responses.
    - Do not include links to source code in API responses for users that do
    not have download_code access.
    - Show Releases in sidebar for guests.
    - Do not display links to source code under Assets for users that do not
    have download_code access.
    
    GET ':id/releases/:tag_name' still do not allow guests to access
    releases. This is to prevent guessing tag existence.
    241ba4be
project_policy.rb 15.1 KB