Skip to content

Only allow group owners to query environment scopes

Erick Bajao requested to merge eb-fix-environment-scopes-graphql-auth into master

What does this MR do and why?

Resolves https://gitlab.com/gitlab-org/gitlab/-/issues/418854

This prevents environment scopes to be queried by non-group-owners through GraphQL.

This is to be in-line with our documentation.

How to set up and validate locally

  1. Access https://gitlab.com/-/graphql-explorer
  2. Execute a query to a group that the requester belongs as Guest user
    query {
      group(fullPath: "group-name") {
        id
        environmentScopes {
          nodes {
            name
          }
        }
      }
    }
  3. Confirm that the information is not returned to Guest user.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports