Skip to content

Allow provisioning group to view member email addresses via API

Drew Blessing requested to merge dblessing_group_email_address into master

What does this MR do and why?

Describe in detail what your merge request does and why.

Fixes #26068 (closed).

Exposes group and project member email address to owners and maintainers when the user is provisioned by that group.

Initially I made the change within UserBasic entity in EE. But this caused a cascade of N+1's across dozens of endpoints. I started chasing those N+1's but it became overwhelming, especially given we haven't expressed an explicit need for email addresses to be exposed in all these other API responses.

In the end I decided to create a new entity that inherits from UserBasic. Naming is hard, but I ended up with UserWithProvisionedAttrs and overrode :user in the EE Members entity.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Create a group
  2. Add/ensure the current user is a group owner.
  3. Invite another user to the group as a member.
  4. Create an access token for the current user.
    1. In the top right, click the Avatar -> Edit Profile
    2. Visit 'Access Tokens'
    3. Create a new personal access token with at least read_api permissions.
    4. Save the token for the next steps
  5. User a Rails console to artificially mark the user as provisioned
    1. gdk console
    2. Run the following commands, substituting values as appropriate.
      user = User.find_by_username('the_user')
      group = Group.find_by_full_path('the_group_path')
      user.provisioned_by_group = group 
      user.save
      exit
  6. Curl or otherwise call the members API
    curl --header "PRIVATE-TOKEN: glpat-yourpat" "https://gdk.test:3443/api/v4/groups/<the_group_path>/members

Observe the user that you marked as provisioned will have an email attribute. Any other members should not.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Drew Blessing

Merge request reports

Loading