Add field authorization to Pipeline fields [RUN ALL RSPEC] [RUN AS-IF-FOSS] (!60754) · Merge requests · GitLab.org / GitLab

Alex Kalderimis requested to merge 329695-add-read_commit_status-field-authorization-to-pipeline-fields-that-can-return-jobs into master Apr 30, 2021

What does this MR do?

This MR addresses the bug seen in #329695 (closed), where we were returning stages and groups to users without jobs in them.

This was due to the fact that we made group-by queries for jobs first, and only later in the GQL query life-cycle (right at the end) do we redact unauthorized information.

Quite apart from the performance benefits of not running queries we know cannot return any results, the current approach runs the risk of exposing data (stage and group names) that is technically unauthorized.

Generally stage and group names are not considered to be security risks, but we should not be exposing them to guest users (which is what we are doing).

Does this MR meet the acceptance criteria?

Conformity

📋 Does this MR need a changelog?
- I have included a changelog entry.
Documentation (if required)
Code review guidelines
Merge request performance guidelines
Style guides
Database guides
Separation of EE specific content

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.

Related to #329695 (closed)

Edited May 06, 2021 by 🤖 GitLab Bot 🤖

Add field authorization to Pipeline fields [RUN ALL RSPEC] [RUN AS-IF-FOSS]

What does this MR do?

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Merge request reports