## Why are we doing this work The `Pipeline#securityReportFindings` and `Pipeline#securityReportSummary` fields are not restricted to access from unauthorized users! I checked the original MRs introducing these fields(!54104, and !31550) to understand if this is a regression but seems like the permission checks were missing from the beginning. ## Relevant links - I've discovered this after the thread initiated by @stanhu and the question from @adamcohen [here](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/75001#note_753853999). ## Steps to reproduce You can use the following curl command to verify that these sensitive fields are available to anyone! **If you run this command, add [your IP](https://icanhazip.com/) and approximate timestamp to this table** | Who? | IP Address | Timestamp (`date -u`) | | -------- | --------------- | ---------------------------- | | `@bwill` | `136.49.173.76` | Wed Dec 8 20:17:57 UTC 2021 (probably about 15-20 mins before this) | | `@thiagocsf` | `59.102.81.249` | Wed Dec 8 19:48:00 UTC 2021 | | `@ngeorge1`|`122.181.40.178`| Thu Dec 9 12:02:10 UTC 2021 | | `@quintasan` | `31.178.237.73` | Mon Dec 13 12:53:14 UTC 2021 | ```sh curl 'https://gitlab.com/api/graphql' \ -H 'authority: gitlab.com' \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --data-raw '{"query":"query {\n project(fullPath: \"gitlab-org/gitlab\") {\n id\n pipeline(iid: 1031272) {\n id\n \n securityReportFindings{\n nodes {\n name\n }\n }\n \n securityReportSummary {\n dependencyScanning {\n scannedResourcesCount\n }\n }\n }\n }\n}","variables":{},"operationName":null}' \ --compressed ``` ## Implementation plan - [ ] ~backend Required permissions must be applied for these fields