Added authentication on autocomplete_sources members endpoint
What does this MR do and why?
- This MR fixes a bug in the autocomplete sources endpoint while fetching members list by an anonymous user.
- The expected behaviour from the autocomplete_sources endpoint is that it should redirect to login page if the user is not logged in, but because of the bug, anonymous users are able to fetch the list of members. For example check https://gitlab.com/gitlab-org/gitlab/-/autocomplete_sources/members?type=MergeRequest&type_id=96848 in incognito window without logging in.
- The expected behaviour was deduced from the test cases written for this endpoint.
- This MR makes user authentication compulsory for this endpoint.
Screenshots or screen recordings
Project member: After and before will be same.
Non project member: After and before will be same.
Anonymous user:
Before
After
How to set up and validate locally
- Create a public project
public_project
under grouppublic_group
. - Add user
user1
to thepublic_project
as members. - Create an issue in the
public_project
byuser1
. Let's say the id of this issue is1
. -
user1
anduser2
(random user who is not a project member) should be able to get a json array containing list of project members when trying to open url http://127.0.0.1:3000/public_group/public_project/-/autocomplete_sources/members?type=Issue&type_id=1 in the browser window where the users are logged in. - If no user is logged in then on opening http://127.0.0.1:3000/public_group/public_project/-/autocomplete_sources/members?type=Issue&type_id=1 you should get the login screen.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #36069 (closed)
Edited by Hitesh Raghuvanshi