Only allow group owners to query environment scopes (!127384) · Merge requests · GitLab.org / GitLab

Erick Bajao requested to merge eb-fix-environment-scopes-graphql-auth into master Jul 24, 2023

What does this MR do and why?

Resolves https://gitlab.com/gitlab-org/gitlab/-/issues/418854

This prevents environment scopes to be queried by non-group-owners through GraphQL.

This is to be in-line with our documentation.

How to set up and validate locally

Access https://gitlab.com/-/graphql-explorer

Execute a query to a group that the requester belongs as Guest user

query {
  group(fullPath: "group-name") {
    id
    environmentScopes {
      nodes {
        name
      }
    }
  }
}

Confirm that the information is not returned to Guest user.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Only allow group owners to query environment scopes

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports