Skip to content
Snippets Groups Projects

Only allow group owners to query environment scopes

Merged Only allow group owners to query environment scopes
eb-fix-environment-scopes-graphql-auth into master
Merged Erick Bajao requested to merge eb-fix-environment-scopes-graphql-auth into master

What does this MR do and why?

Resolves https://gitlab.com/gitlab-org/gitlab/-/issues/418854

This prevents environment scopes to be queried by non-group-owners through GraphQL.

This is to be in-line with our documentation.

How to set up and validate locally

  1. Access https://gitlab.com/-/graphql-explorer
  2. Execute a query to a group that the requester belongs as Guest user 
    query {
  group(fullPath: "group-name") {
    id
    environmentScopes {
      nodes {
        name
      }
    }
  }
}
  3. Confirm that the information is not returned to Guest user.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
Please register or sign in to reply