Skip to content

Enforce auth checks on uploads

Kerri Miller requested to merge 26781-enforce-auth-checks-on-uploads into master

What does this MR do and why?

We want to align ourselves with private means private and making the product reflect that is much better than forcing users to find settings to make private mean private.

Uploads are currently only stored in the context of the Project (or Group), and not the context of the immediate location they're uploaded and/or displayed in (typically discussion threads on Issues and Merge Requests..) we only have the visibility level of that containing Project or Group to work with. The simplest path forward here is to enforce authorization checks on uploads (as summarized in this comment: #26781 (comment 817364933)).

This allows us to close a long-open security issue, and then move forward on prioritizing follow-on improvements (such as giving more context to Uploads or adding additional admin settings) in future iterations as regular Feature development work.

Related to #26781 (closed)

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports

Loading