Vulnerability related fields are available to unauthorized users on GraphQL API

Why are we doing this work

The Pipeline#securityReportFindings and Pipeline#securityReportSummary fields are not restricted to access from unauthorized users! I checked the original MRs introducing these fields(!54104 (merged), and !31550 (merged)) to understand if this is a regression but seems like the permission checks were missing from the beginning.

Relevant links

I've discovered this after the thread initiated by @stanhu and the question from @adamcohen here.

Steps to reproduce

You can use the following curl command to verify that these sensitive fields are available to anyone!

If you run this command, add your IP and approximate timestamp to this table

Who?	IP Address	Timestamp (`date -u`)
`@bwill`	`136.49.173.76`	Wed Dec 8 20:17:57 UTC 2021 (probably about 15-20 mins before this)
`@thiagocsf`	`59.102.81.249`	Wed Dec 8 19:48:00 UTC 2021
`@ngeorge1`	`122.181.40.178`	Thu Dec 9 12:02:10 UTC 2021
`@quintasan`	`31.178.237.73`	Mon Dec 13 12:53:14 UTC 2021

curl 'https://gitlab.com/api/graphql' \
  -H 'authority: gitlab.com' \
  -H 'accept: application/json' \
  -H 'content-type: application/json' \
  --data-raw '{"query":"query {\n  project(fullPath: \"gitlab-org/gitlab\") {\n    id\n    pipeline(iid: 1031272) {\n      id\n      \n      securityReportFindings{\n        nodes {\n          name\n        }\n      }\n     \n      securityReportSummary {\n        dependencyScanning {\n          scannedResourcesCount\n        }\n      }\n    }\n  }\n}","variables":{},"operationName":null}' \
  --compressed

Implementation plan

backend Required permissions must be applied for these fields

Edited Dec 13, 2021 by Michał Zając