graphql mergeRequest commitsWithoutMergeCommits nodes list not populated as expected if the user cannot access MR's source branch
The commitsWithoutMergeCommits CommitConnection nodes list is not populated as expected if an MR's source branch is not visible to the user.
Steps to reproduce:
1. Create a private fork of a public project.
2. Create an MR in the public project using a branch in the private fork as the source branch.
3. Have a different user run a graphql query to list the commitsWithoutMergeCommits of the MR.
Expected results: The query lists the commits of the MR.
Actual results: The query returns an empty list.
Additional information:
- The commits are publicly visible in the web UI and the equivalent query using the REST API works as expected.
A real world example:
- I created a Draft Merge Request cki-project/kernel-ark!1245 (closed) using a private fork.
Here is the result of using the REST API with no authentication to view the MR commits. It returns the expected details about the commits:
$ curl -s https://gitlab.com/api/v4/projects/13604247/merge_requests/1245/commits | jq ''
[
{
"id": "d2d6d3ac67988326f3b86b2c52fa2114abc7090a",
"short_id": "d2d6d3ac",
"created_at": "2021-07-09T12:33:16.000Z",
"parent_ids": [],
"title": "Update Makefile.rhelver",
"message": "Update Makefile.rhelver",
"author_name": "Patrick Talbert",
"author_email": "ptalbert@redhat.com",
"authored_date": "2021-07-09T12:33:16.000Z",
"committer_name": "Patrick Talbert",
"committer_email": "ptalbert@redhat.com",
"committed_date": "2021-07-09T12:33:16.000Z",
"trailers": {},
"web_url": "https://gitlab.com/cki-project/kernel-ark/-/commit/d2d6d3ac67988326f3b86b2c52fa2114abc7090a"
}
]
Here is the result of using the graphql API with no authentication to try to view the MR commits. Notice the commitsWithoutMergeCommits node list is empty:
$ curl -s -H "Content-Type: application/json" -X POST --data-raw '{"query":"query {project(fullPath: \"cki-project/kernel-ark\") {mergeRequest(iid: \"1245\") {commitsWithoutMergeCommits {nodes {sha}}}}}","variables":null}' https://gitlab.com/api/graphql | jq
{
"data": {
"project": {
"mergeRequest": {
"commitsWithoutMergeCommits": {
"nodes": []
}
}
}
}
}
If I set my fork to be public then the graphql API query works as expected:
$ curl -s -H "Content-Type: application/json" -X POST --data-raw '{"query":"query {project(fullPath: \"cki-project/kernel-ark\") {mergeRequest(iid: \"1245\") {commitsWithoutMergeCommits {nodes {sha}}}}}","variables":null}' https://gitlab.com/api/graphql | jq
{
"data": {
"project": {
"mergeRequest": {
"commitsWithoutMergeCommits": {
"nodes": [
{
"sha": "d2d6d3ac67988326f3b86b2c52fa2114abc7090a"
}
]
}
}
}
}
}