REST API & GraphQL API exposes starred projects of a user who has a private profile
While working on #33563 (closed), I noticed that both the
- REST API: https://docs.gitlab.com/ee/api/projects.html#list-projects-starred-by-a-user
- GraphQL API: https://docs.gitlab.com/ee/api/graphql/reference/#user -
starredProjects
exposes the details of projects starred by a user who has enabled a private profile.
Steps:
- As a user
A
, star at least 1 project. - As user
A
, turn on private profile in Profile settings (in/profile
-Don't display activity-related personal information on your profiles
) - Access details of user
A
as a userB
via REST/GraphQL API - The details of starred projects of user
A
are visible to userB
(Please note that the starred project should also be visible toB
, if not, the project is not shown. In short: Project visibility levels are honoured here.)
I am not sure if this is intended behaviour because https://docs.gitlab.com/ee/user/profile/#private-profile states that Starred projects of users with private profiles are not shown in their profile page.
However, the above page does mention that this behaviour is related to profile page
.
But it still feels odd that starred projects of a user with private profile is not shown in their profile page, but if you use the API, you can still see this information.