Bug: AiUsageData GraphQL field returns null with no error on authorization failure
Summary
When a user lacks authorization to access AiUsageData (e.g., missing Duo Enterprise add-on
on pre-18.7, or insufficient role), the GraphQL field returns null with no error in the
response. Customers cannot distinguish "no data exists" from "you don't have permission."
Steps to reproduce
- Deploy GitLab 18.5.x self-managed with Duo Pro (not Duo Enterprise)
- Query the GraphQL API:
{ group(fullPath: "my-group") { aiUsageData { codeSuggestionEvents(startDate: "2025-01-01", endDate: "2025-12-31") { nodes { user { username } timestamp } } } } } - Observe: response contains
"aiUsageData": nullwith no errors array entry
What is the current bug behavior?
The field resolves to null silently. The GraphQL response errors array is empty.
There is no indication that the null is due to authorization failure vs. no data.
What is the expected correct behavior?
Either:
- Return a GraphQL error with a message like "Duo Enterprise add-on required for this API on versions prior to 18.7" (preferred), or
- Return an empty collection (
{ nodes: [] }) with a warning, or - At minimum, document the null behavior in troubleshooting docs
Relevant logs and/or screenshots
The authorization check in ee/app/graphql/types/group_type.rb calls allowed? which
returns false, causing the field to resolve to null via standard GraphQL lazy resolution.
No error is raised or logged.
Note: The add-on gating was removed in 18.7 (#580174), but 18.5.x and 18.6.x are still under the maintenance policy and exhibit this behavior.