2 files changed, 38 insertions, 14 deletions

diff --git a/app/controllers/projects/releases/evidences_controller.rb b/app/controllers/projects/releases/evidences_controller.rb
new file mode 100644
index 00000000000..34e450d903f
--- /dev/null
+++ b/app/controllers/projects/releases/evidences_controller.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Projects
+  module Releases
+    class EvidencesController < Projects::ApplicationController
+      before_action :require_non_empty_project
+      before_action :release
+      before_action :authorize_read_release_evidence!
+
+      def show
+        respond_to do |format|
+          format.json do
+            render json: evidence.summary
+          end
+        end
+      end
+
+      private
+
+      def authorize_read_release_evidence!
+        access_denied! unless Feature.enabled?(:release_evidence, project, default_enabled: true)
+        access_denied! unless can?(current_user, :read_release_evidence, evidence)
+      end
+
+      def release
+        @release ||= project.releases.find_by_tag!(sanitized_tag_name)
+      end
+
+      def evidence
+        release.evidences.find(params[:id])
+      end
+
+      def sanitized_tag_name
+        CGI.unescape(params[:tag])
+      end
+    end
+  end
+end
diff --git a/app/controllers/projects/releases_controller.rb b/app/controllers/projects/releases_controller.rb
index 7d6b38dd243..fc60f42095c 100644
--- a/app/controllers/projects/releases_controller.rb
+++ b/app/controllers/projects/releases_controller.rb
@@ -11,7 +11,6 @@ class Projects::ReleasesController < Projects::ApplicationController
     push_frontend_feature_flag(:release_show_page, project, default_enabled: true)
   end
   before_action :authorize_update_release!, only: %i[edit update]
-  before_action :authorize_read_release_evidence!, only: [:evidence]
 
   def index
     respond_to do |format|
@@ -22,14 +21,6 @@ class Projects::ReleasesController < Projects::ApplicationController
     end
   end
 
-  def evidence
-    respond_to do |format|
-      format.json do
-        render json: release.evidence_summary
-      end
-    end
-  end
-
   def show
     return render_404 unless Feature.enabled?(:release_show_page, project, default_enabled: true)
 
@@ -64,11 +55,6 @@ class Projects::ReleasesController < Projects::ApplicationController
     access_denied! unless can?(current_user, :update_release, release)
   end
 
-  def authorize_read_release_evidence!
-    access_denied! unless Feature.enabled?(:release_evidence, project, default_enabled: true)
-    access_denied! unless can?(current_user, :read_release_evidence, release)
-  end
-
   def release
     @release ||= project.releases.find_by_tag!(sanitized_tag_name)
   end