Skip to content

Fix missing properties in projects API for unauthenticated users

Val Lorentz requested to merge gitlab-community/gitlab:projects-unauthenticated into master
  • Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA

What does this MR do and why?

Fix missing properties in projects API for unauthenticated users; one of them being forked_from_project (so this MR resolves #361952)

The API response returned to unauthenticated users was based on BasicProjectDetails instead of its Projects subclass, causing properties to be missing regardless of access control

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

This should not give unauthenticated users any more access than unprivileged authenticated users; but tagging @gitlab-com/gl-security/appsec security just in case, as it now makes unauthenticated users go through a code path that was only for authenticated users so far

Screenshots or screen recordings

Before After
screenshot-2024-05-07_17-31-56 screenshot-2024-05-07_17-31-39
Screenshot_2024-05-08_at_13-16-42_Screenshot Screenshot_2024-05-08_at_13-16-22_Screenshot
Edited by Val Lorentz

Merge request reports