Restrict namespace API billing fields based on user permissions

Ryan Cobbrequested to merge
rc/restrict_namespace_api_billing_fields into master

What does this MR do and why?

Restrict the following namespace API billing fields based on user permissions.

seats_in_use
max_seats_used
max_seats_used_changed_at
end_date

This change is behind a feature flag. When enabled, these fields are only returned to users with billing access permissions.

References

Issue: #517976 (closed)

How to set up and validate locally

  1. Create 2 users
  2. As "user 1" create a group and make note of the group id.
  3. Invite "user 2" to the group as a guest
  4. As "user 2" fetch the namespace via API
curl -X GET 'http://localhost:3000/api/v4/namespaces/<group_id>' \
  --header 'PRIVATE-TOKEN: <user-2-api-token>'
  1. Notice fields are returned
{
  "id": 108,
  "name": "first_group",
  "path": "first_group",
  "kind": "group",
  "full_path": "first_group",
  "parent_id": null,
  "avatar_url": null,
  "web_url": "http://127.0.0.1:3000/groups/first_group",
  "billable_members_count": 2,
  "seats_in_use": 2,
  "max_seats_used": 0,
  "max_seats_used_changed_at": null,
  "end_date": null
}
  1. In rails console enable the feature flag
Feature.enable(:restrict_namespace_api_billing_fields)
  1. Run the same curl, notice billing fields are now null
{
  "id": 108,
  "name": "first_group",
  "path": "first_group",
  "kind": "group",
  "full_path": "first_group",
  "parent_id": null,
  "avatar_url": null,
  "web_url": "http://127.0.0.1:3000/groups/first_group",
  "billable_members_count": null,
  "seats_in_use": null,
  "max_seats_used": null,
  "max_seats_used_changed_at": null,
  "end_date": null
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Ryan Cobb

Merge request reports