Revert "Merge branch '582001/aslota-remove-per-participant-permission-check' into 'master'"
Background
As part of discussions in this issue, and with approval from the AppSec team, we removed per-source and per-participant permission checks from the participants API endpoints to improve performance. These changes ensured that all participants were listed regardless of their current access level to the issuable's parent (project or group) or the participatable source (such as a note). We also updated the documentation to reflect that this is now the expected behaviour.
Purpose of revert
After receiving an influx of support tickets and concerns from customers about security, we decided to revert the changes and re-evaluate how we want to move forward.
This MR reverts !213623 (merged) and !214345 (merged).
References
Checklist
- Create an issue to reinstate the merge request and assign it to the author of the reverted merge request.
-
If the revert is to resolve a broken 'master' incident, please read through the Responsibilities of the Broken
masterresolution DRI. - If the revert involves a database migration, please read through Deleting existing migrations.
- Add the appropriate labels before the MR is created. We can skip CI/CD jobs only if the labels are added before the CI/CD pipeline is created.
Milestone info
-
I am reverting something in the current milestone. No changelog is needed, and I've added a
~"regression:*"label. -
I am reverting something in a different milestone. A changelog is needed, and I've removed the
~"regression:*"label.
Related issues and merge requests
Edited by Agnes Slota