Raw private snippets that are not linked to a project can be viewed while logged out
- GitLab version: 8.2.1-ee (GitLab.com)
- Zendesk ticket: https://gitlab.zendesk.com/agent/tickets/12609
Description of issue
Take this snippet as an example: https://gitlab.com/snippets/10934/raw
If you are logged in, you will receive a 404, as expected, but if you are complete logged out of the system, you will be able to see the raw contents of the snippet, without being prompted to login.
If you remove the /raw part of the link, you will be redirected to the login screen, as expected, so this only affects the raw view of the snippet.
Result of replication
Just as described.
Concrete questions / Next steps
This should not be the case. It looks like the bug was introduced with this commit c8fe4215
Line 85 should read:
PersonalSnippet.are_public.find(params[:id])And not:
PersonalSnippet.find(params[:id])