last_activity values visible in the Group Member UI to any user authenticated but API requires Administrator rights to view data
Summary
Any logged in user is able to view member last_activity
from the member view however, to view member activity via the API this requires administrative rights. Users who don't have admin privileges feel that since they can see this information in the UI they should be able to access this via the API as well using their own API credentials.
Steps to reproduce
- Log into Gitlab UI with a non-administrative user
- Navigate to a Group
- Click
members
- Notice
Last Activity
is populated for every user - Using a API client, access the
GET /user/activities
API endpoint with a user with non-administrative API rights - Notice, access denied
Example Project
What is the current bug behavior?
Currently this data available to all authenticated users via the Web UI but only available to users with administrative privileges via the API.
What is the expected correct behavior?
Data access rules should be consistent. If the user can see this information via the UI they should be able to access it via the API with the same privilege level