Discussions API incorrectly masks author name for group owner with sufficient permissions
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
The discussions endpoint masks author.name as "****" even when the requesting user is a group owner with full permissions on GitLab.com.
Steps to reproduce
- Create a new group on GitLab.com
- Create a new project within that group
- Create a new user or bot account (e.g.,
ai-reviewer-bot) - Add the bot to the project with Developer role
- Create a test branch and push code:
git checkout -b test-branch echo "test" > test.txt git add test.txt git commit -m "test" git push -u origin test-branch - Create a merge request from
test-branchto the default branch - Add a discussion comment to the MR using the bot's account (or group access token)
- As the group owner, query the discussions endpoint:
curl -H "PRIVATE-TOKEN: YOUR_PERSONAL_TOKEN" \ "https://gitlab.com/api/v4/projects/{PROJECT_ID}/merge_requests/{MR_IID}/discussions" - Observe that
author.nameis masked as"****" - Query the users endpoint for the same user:
curl -H "PRIVATE-TOKEN: YOUR_PERSONAL_TOKEN" \ "https://gitlab.com/api/v4/users/{USER_ID}" - Observe that the actual name is returned (not masked)
Expected behavior
Author name should be visible to group owner in the discussions endpoint
Actual behavior
Author name is masked as "****" in the discussions endpoint despite the group owner having full permissions
Inconsistency
-
/api/v4/users/{id}returns the actual author name -
/api/v4/projects/{id}/merge_requests/{iid}/discussionsmasks it as"****"
The data is clearly accessible (proven by the users endpoint), so the masking is a permission check bug in the discussions endpoint.
Environment
- GitLab.com (SaaS)
- Token type: Personal access token (group owner)
- Affected endpoint:
GET /api/v4/projects/:id/merge_requests/:merge_request_iid/discussions
Edited by 🤖 GitLab Bot 🤖