Enforce authorization checks on media uploads
IMPORTANT NOTE
The work to deliver the settings has been completed from an engineering perspective. However, this work is still not on by default or available to users - rollout of the work can be tracked in #352291 (closed).
We do still expect to deliver this during %15.1, but the rollout issue will be the source of truth.
Problem to Solve
Images attached to issues, merge requests or comments do not require authentication to be viewed if someone knows the direct URL. This means that items uploaded to otherwise private projects aren't really private.
Additional Details
As discussed in https://gitlab.com/gitlab-org/gitlab-ce/issues/22657 and documented in https://gitlab.com/help/security/user_file_uploads.md, "Images attached to issues, merge requests or comments do not require authentication to be viewed if someone knows the direct URL." The chances of this direct URL being leaked or guessed are small, and the associated risk of an uploaded image leaking is usually acceptable, but this is not the case in all organizations, especially those dealing with more sensitive information.
Proposal
- Add setting to require authentication when viewing media URLs
- This setting will be project level only
- The setting will only appear when
private
orinternal
visibility has been selected - The setting will be
checked
by default on either of the above settings
Design
Please see attached design