Exclude requesters from Project#members, Group#members and User#members (!4946) · Merge requests · GitLab.org / GitLab FOSS

Rémy Coutable requested to merge explicit-requesters-scope into master Jun 27, 2016

What does this MR do?

It excludes requesters from the Project#members, Group#members and User#members associations, and adds new Project#requesters and Group#requesters associations.

Are there points in the code the reviewer needs to double check?

No.

Why was this MR needed?

Without this, if you call project.members, requesters are included in the results! This is at best misleading, and at worst can lead to security issues. By excluding requesters from the #members associations, we avoid introducing security inadvertently since you have to call the #requesters association explicitly to get requesters.

What are the relevant issue numbers?

This is something I realized while fixing the security issue #19102 (closed).

Does this MR meet the acceptance criteria?

I don't think this needs a CHANGELOG since this is an internal change
Tests
- Added for this feature/bug
- All builds are passing
Conform by the style guides
Branch has no merge conflicts with master (if you do - rebase it please)
Squashed related commits together

Exclude requesters from Project#members, Group#members and User#members

What does this MR do?

Are there points in the code the reviewer needs to double check?

Why was this MR needed?

What are the relevant issue numbers?

Does this MR meet the acceptance criteria?

Merge request reports