Putting CI/CD settings behind appropriate permission levels (!117933) · Merge requests · GitLab.org / GitLab

Max Fan requested to merge 387741-hide-cicd-settings into master Apr 18, 2023

What does this MR do and why?

Currently we return sensitive information in our REST endpoints for CI/CD Settings.

Adding a check so that only maintainers and up are returned these settings. This is similar to the behaviour in the UI where only maintainers and up can view admin settings.

Screenshots or screen recordings

Settings are not returned in the Projects API

How to set up and validate locally

Create access tokens for the project via Settings -> Access Tokens on the sidebar of a project
Using Bearer token authorization try reporter or lower level access tokens
There should no longer be ci/cd setting fields returned

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #387741 (closed)

Edited Apr 18, 2023 by Max Fan

Putting CI/CD settings behind appropriate permission levels

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports