Skip to content

Obfuscate external participants emails in system notes

Marc Saleiko requested to merge ms-obfuscate-issue-email-participant-system-notes into master

Feature context

External issue participants are a record in issue_email_participants and are not connected to a User and cannot log in to GitLab. They can only interact with the issue (or work item) via email. An issue can have 0..n external participants and we're working on adding management functionality (quick actions, system notes etc.) to it using the issue_email_participants feature flag. The target milestone for a release is 16.9.

An external participant receives a Service Desk email whenever a new comment that's not internal has been added to an issue. They can reply to the email and their comment will be added (using the GitLab Support Bot).

What does this MR do and why?

When managing external participants in an issue we add system notes to display which email was added or removed. On public issues or for guest users this information should not be visible.

This MR adds obfuscation to issue email participant system notes, so no email addresses are disclosed if the user does not have the needed role.

It also adds the obfuscation logic to the REST and GraphQL APIs. It introduces a NotePresenter that these APIs use. This will also allow us to migrate helper logic to the presenter.

Solves #456109

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
image image

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Select a project and enable the feature flag for issue_email_participants. 
    project = Project.find(7)

Feature.enable(:issue_email_participants, project)
  2. Browse to an issue in the project and add a comment with /invite_email user@example.com. You can see the system note is displayed without obfuscation.
  3. Only users with at least the reporter role in a project should not be able to see the full email address. So simulate this, you can comment the following line, so it will always obfuscate system notes about issue email participants: app/serializers/note_entity.rb:128 
    return body if can?(current_user, :read_external_emails, object.project)
  4. Now play around with the quick actions /invite_email and /remove_email

Check via GraphQl

  1. Figure out the global id of the aboveissue. I simply looked it up Issue.last
  2. Then use the GraphQl explorer and run this query 
    query {
  issue(id: "gid://gitlab/Issue/609") {
    id
    iid
    title
    notes {
      edges {
        node {
          id
          body
          bodyHtml
        }
      }
    }
  }
}
  3. You should see the notes unobfuscated.
  4. Now open a new private window and run the same query (ensure the project is public and the issue is not confidential or log in with a user that has the guest role in the project)
  5. You should see body and bodyHtml being obfuscated.
Edited by Marc Saleiko

Merge request reports