Fix authorize for user_project instead of release

lib/api/releases.rb

@@ -60,10 +60,10 @@ module API
                                desc: 'If `true`, a response includes HTML rendered markdown of the release description.'
       end
       get ':id/releases/:tag_name', requirements: RELEASE_ENDPOINT_REQUIREMENTS do
-        not_found! unless release
-
         authorize_download_code!
 
+        not_found! unless release
+
         present release, with: Entities::Release, current_user: current_user, include_html_description: params[:include_html_description]
       end
 
@@ -179,7 +179,7 @@ module API
       end
 
       def authorize_download_code!
-        authorize! :download_code, release
+        authorize! :download_code, user_project
       end
 
       def authorize_create_evidence!

spec/requests/api/releases_spec.rb

@@ -467,6 +467,7 @@ RSpec.describe API::Releases do
         get api("/projects/#{project.id}/releases/non_exist_tag", maintainer)
 
         expect(response).to have_gitlab_http_status(:not_found)
+        expect(json_response['message']).to eq('404 Not Found')
       end
 
       it 'returns project not found for no user' do
@@ -476,10 +477,10 @@ RSpec.describe API::Releases do
         expect(json_response['message']).to eq('404 Project Not Found')
       end
 
-      it 'returns 404 for guest' do
-        get api("/projects/#{project.id}/releases/non_exist_tag", guest)
+      it 'returns forbidden for guest' do
+        get api("/projects/#{project.id}/releases/non_existing_tag", guest)
 
-        expect(response).to have_gitlab_http_status(:not_found)
+        expect(response).to have_gitlab_http_status(:forbidden)
       end
     end