Hide the `created_by` attribute from group/project non-admins
What does this MR do and why?
This is a follow-up of !144638 (merged).
After we enable the webui_members_inherited_users
feature flag, we'll
start returning the invited private group members to the project/group
members for the /source/:id/members/all
& /source/:id/members/all/:user_id
APIs. Here we're hiding the created_at
attribute from the non-admins
of the shared group/project.
This is required because sometimes the members are added by project/group bots and therefore the created_by
can reveal some information about the group like the group name. This is not a security issue but might be a privacy concern for some users.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
For project:
- Enable the feature flag:
Feature.enable(:webui_members_inherited_users)
. - Login using
user1
and create 2 private groups calledGroup1
&Invited-group
. - Create
Shared-project
underGroup1
- Invite
user2
to Invited-group anduser3
to Shared-project with Developer access. - Now invite
Invited-group
toShared-project
using the Invite a group button on https://gdk.test:3000/group1/shared-project/-/project_members - Now log in using
user3
. - Check out this branch and call this API using the Shared-project id https://gdk.test:3000/api/v4/projects/:id/members/all.
- The
created_by
attribute should not be present foruser2
For group:
Create a group called Shared-group
instead of Shared-project
and repeat the above steps.
Related to #219230 (closed)