Complete remaining auth TODOs prior to appsec review (!118698) · Merge requests · GitLab.org / GitLab

Jerry Seto requested to merge 403623-auth-todos into remote_dev Apr 25, 2023

What does this MR do and why?

Add authorization checks and tests, resolve all auth TODOs

See Issue: Complete remaining auth TODOs prior to appsec r... (#403623 - closed)

Tasks

add authorization checks to graphql endpoints and services
add tests
ensure all TODOs from Complete remaining auth TODOs prior to appsec r... (#403623 - closed) are addressed and removed
do some basic exploratory testing to ensure the auth works as designed (e.g. try to access a workspace you don't own via the GraphQL API, and other basic exercises of all the policies we have defined)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

~~I have evaluated the MR acceptance checklist for this MR.~~

Related to #403623 (closed)

Edited Apr 27, 2023 by Jerry Seto

Complete remaining auth TODOs prior to appsec review

What does this MR do and why?

Tasks

MR acceptance checklist

Merge request reports