Move `skip_auth` from `params` to `#execute`
What does this MR do and why?
Support for a skip_auth
option was added to Issues::UpdateService
in
!64929 (merged) to allow
that service to skip its authorization step.
The option was previously passed through alongside the regular issue
attribute params
. As the params
often come from user-land, the risk
is an exploitable situation where inadequately filtered params are
passed to the service, allowing a user to skip the authorization.
Currently, in every instance of this service, we use strong params or forms thereof, so the exploit is not possible https://gitlab.com/gitlab-org/gitlab/-/issues/341464#audit-of-uses-of-issuesupdateservice.
However, we should avoid the possibility of the option being exploitable in future and move this option from the params
hash to #execute
. This is a method used in a number of services and finders.
#341464 (will become public when this MR is merged https://gitlab.com/gitlab-org/gitlab/-/issues/341464#note_683851060).
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #341464