Merge branch 'group-token-name-visibility' into 'master'

Fix group bot token name in REST API and GraphQL

See merge request !81843

app/graphql/types/user_interface.rb

@@ -134,14 +134,7 @@ def resolve_type(object, context)
     end
 
     def redacted_name
-      return object.name unless object.project_bot?
-
-      return object.name if context[:current_user]&.can?(:read_project, object.projects.first)
-
-      # If the requester does not have permission to read the project bot name,
-      # the API returns an arbitrary string. UI changes will be addressed in a follow up issue:
-      # https://gitlab.com/gitlab-org/gitlab/-/issues/346058
-      '****'
+      object.redacted_name(context[:current_user])
     end
   end
 end

app/models/concerns/has_user_type.rb

@@ -46,4 +46,17 @@ def bot?
   def internal?
     ghost? || (bot? && !project_bot?)
   end
+
+  def redacted_name(viewing_user)
+    return self.name unless self.project_bot?
+
+    return self.name if self.groups.any? && viewing_user&.can?(:read_group, self.groups.first)
+
+    return self.name if viewing_user&.can?(:read_project, self.projects.first)
+
+    # If the requester does not have permission to read the project bot name,
+    # the API returns an arbitrary string. UI changes will be addressed in a follow up issue:
+    # https://gitlab.com/gitlab-org/gitlab/-/issues/346058
+    '****'
+  end
 end

lib/api/entities/user_safe.rb

@@ -5,14 +5,7 @@ module Entities
     class UserSafe < Grape::Entity
       expose :id, :username
       expose :name do |user|
-        next user.name unless user.project_bot?
-
-        next user.name if options[:current_user]&.can?(:read_project, user.projects.first)
-
-        # If the requester does not have permission to read the project bot name,
-        # the API returns an arbitrary string. UI changes will be addressed in a follow up issue:
-        # https://gitlab.com/gitlab-org/gitlab/-/issues/346058
-        '****'
+        user.redacted_name(options[:current_user])
       end
     end
   end

spec/graphql/types/user_type_spec.rb

@@ -52,10 +52,13 @@
     let_it_be(:user) { create(:user) }
     let_it_be(:requested_user) { create(:user, name: 'John Smith') }
     let_it_be(:requested_project_bot) { create(:user, :project_bot, name: 'Project bot') }
+    let_it_be(:requested_group_bot) { create(:user, :project_bot, name: 'Group bot') }
     let_it_be(:project) { create(:project, :public) }
+    let_it_be(:group) { create(:group, :public) }
 
     before do
       project.add_maintainer(requested_project_bot)
+      group.add_maintainer(requested_group_bot)
     end
 
     let(:username) { requested_user.username }
@@ -123,6 +126,50 @@
             end
           end
         end
+
+        context 'a group bot' do
+          let(:username) { requested_group_bot.username }
+
+          context 'when requester is nil' do
+            let(:current_user) { nil }
+
+            it 'returns `****`' do
+              expect(user_name).to eq('****')
+            end
+          end
+
+          context 'when the requester is not a group member' do
+            it 'returns `Group bot` for a non group member in a public group' do
+              expect(user_name).to eq('Group bot')
+            end
+
+            context 'in a private group' do
+              let(:group) { create(:group, :private) }
+
+              it 'returns `****` for a non group member in a private group' do
+                expect(user_name).to eq('****')
+              end
+            end
+          end
+
+          context 'with a group member' do
+            before do
+              group.add_guest(user)
+            end
+
+            it 'returns `Group bot` for a group member' do
+              expect(user_name).to eq('Group bot')
+            end
+
+            context 'in a private group' do
+              let(:group) { create(:group, :private) }
+
+              it 'returns `Group bot` for a group member in a private group' do
+                expect(user_name).to eq('Group bot')
+              end
+            end
+          end
+        end
       end
     end
 
@@ -142,6 +189,14 @@
           expect(subject).to eq('Project bot')
         end
       end
+
+      context 'a group bot' do
+        let(:username) { requested_group_bot.username }
+
+        it 'returns name' do
+          expect(subject).to eq('Group bot')
+        end
+      end
     end
   end
 

spec/lib/api/entities/user_spec.rb

@@ -78,6 +78,63 @@
     end
   end
 
+  context 'with group bot user' do
+    let(:group) { create(:group) }
+    let(:user) { create(:user, :project_bot, name: 'group bot') }
+
+    before do
+      group.add_maintainer(user)
+    end
+
+    it 'exposes user as a bot' do
+      expect(subject[:bot]).to eq(true)
+    end
+
+    context 'when the requester is not a group member' do
+      context 'with a public group' do
+        it 'exposes group bot user name' do
+          expect(subject[:name]).to eq('group bot')
+        end
+      end
+
+      context 'with a private group' do
+        let(:group) { create(:group, :private) }
+
+        it 'does not expose group bot user name' do
+          expect(subject[:name]).to eq('****')
+        end
+      end
+    end
+
+    context 'when the requester is nil' do
+      let(:current_user) { nil }
+
+      it 'does not expose group bot user name' do
+        expect(subject[:name]).to eq('****')
+      end
+    end
+
+    context 'when the requester is a group maintainer' do
+      let(:current_user) { create(:user) }
+
+      before do
+        group.add_maintainer(current_user)
+      end
+
+      it 'exposes group bot user name' do
+        expect(subject[:name]).to eq('group bot')
+      end
+    end
+
+    context 'when the requester is an admin' do
+      let(:current_user) { create(:user, :admin) }
+
+      it 'exposes group bot user name', :enable_admin_mode do
+        expect(subject[:name]).to eq('group bot')
+      end
+    end
+  end
+
   it 'exposes local_time' do
     local_time = '2:30 PM'
     expect(entity).to receive(:local_time).with(timezone).and_return(local_time)