Step-up auth: Protect content in dashboard views and navigation

Problem Statement / Context

When step-up authentication is enabled for a group, users expect that sensitive content from that group is protected consistently across all access points. However, dashboard views and navigation elements may inadvertently leak information from protected groups by displaying activity feeds, TODO items, and quick access links.

Current Limitations:

  • Dashboard home (/dashboard/home) shows activity feeds with commits/MRs from protected groups
  • TODO lists display items from protected projects with issue/MR titles
  • Left navigation shows recent projects and pinned items from protected groups
  • Analytics dashboards may aggregate data across protected and non-protected groups
  • This creates inconsistent security behavior where direct group access is protected but content leaks through dashboard views

User Impact:

  • Organizations using step-up auth for sensitive groups cannot fully protect their content
  • Sensitive activity (commits, MRs, comments) visible to users who haven't completed step-up auth
  • TODO items reveal issue/MR titles from protected projects
  • Security and compliance requirements may not be met due to information leakage

Proposal

Implement content protection for step-up authentication enabled groups in dashboard views and navigation elements, ensuring that content from protected groups is secured until the user completes step-up authentication.

🛠️ with ❤️ at Siemens

Proposed Solution

Implement filtering/redaction of dashboard content from step-up auth protected groups:

Recommended Approach: Contextual Filtering

  • Filter content from protected groups in activity feeds and TODO lists
  • Show placeholder items indicating protected content exists
  • Example: "Activity from [Protected Group] - authentication required to view"
  • Provide step-up auth trigger inline

Affected Dashboard Areas:

  1. Dashboard Home (/dashboard/home)

    • Activity feed (commits, MRs, comments, pipelines)
    • Merge request widget
    • Issues widget

  2. TODO List (/dashboard/todos)

    • TODO items with issue/MR titles
    • Assignee and mention notifications
    • Review requests

  3. Left Navigation

    • Recent projects/groups
    • Pinned items
    • Frequently visited

  4. Merge Requests Dashboard (/dashboard/merge_requests)

    • MR titles and descriptions
    • Pipeline status

  5. Issues Dashboard (/dashboard/issues)

    • Issue titles and descriptions
    • Labels and milestones

  6. Activity Feed (/dashboard/activity)

    • All activity types from protected groups

Technical Approach

  1. Dashboard Content Filter

    • Extend step-up auth filter service for dashboard contexts
    • Filter at data retrieval layer, not presentation

  2. Activity Feed Decorator

    • Wrap activity items with step-up auth status
    • Group multiple protected activities into summary item

  3. TODO Item Protection

    • Redact TODO item details while preserving count
    • Show aggregated "X items require authentication" notice

  4. Navigation Protection

    • Filter recent/pinned items from protected groups
    • Or show with lock icon and auth requirement

What does success look like, and how can we measure that?

User Impact Metrics:

  • Zero information leakage from step-up auth protected groups through dashboards
  • User satisfaction with consistent security behavior
  • Clear visibility into what content requires additional authentication

Technical Metrics:

  • All dashboard content from protected groups is filtered/redacted
  • Dashboard load time impact < 10% additional latency
  • TODO count accuracy maintained (shows total including protected items)

Related Resources

  • Parent Epic: Step-Up Authentication (#16818 (closed))
  • Related Issue: #547659 (closed) - Review community contribution of expanding step-up auth beyond Admin Mode
  • Companion Issue: Step-up Authentication: Protect content in global search results

Implementation Plan

Technical Considerations

  • Filter at query/service layer for performance
  • Consider lazy-loading protected item counts
  • Handle real-time updates (ActionCable) for activity feeds
  • Cache step-up auth status per user session
  • Ensure consistent behavior across all dashboard entry points

Checklist

  • Design RFC for dashboard protection strategy
  • Extend step-up auth filter service for dashboard contexts
  • Add feature flag step_up_auth_dashboard_protection
  • Protect dashboard home content
    • Filter activity feed items
    • Filter MR/Issue widgets
    • Show protected content placeholder
  • Protect TODO list
    • Redact TODO item titles
    • Show aggregated auth notice
    • Maintain accurate TODO count
  • Protect left navigation
    • Filter recent projects/groups
    • Handle pinned items
  • Protect MR dashboard
    • Filter MR list items
  • Protect Issues dashboard
    • Filter issue list items
  • Protect Activity dashboard
    • Filter all activity types
  • Implement protected content UI components
    • Placeholder items
    • Inline step-up auth trigger
    • Protected item count badges
  • Add unit and integration tests
  • Add E2E tests for dashboard protection
  • Update dashboard documentation
  • Performance testing and optimization
Edited by 🤖 GitLab Bot 🤖