Discussions API incorrectly masks author name for group owner with sufficient permissions (#591305) · Issues · GitLab.org / GitLab

Discussions API incorrectly masks author name for group owner with sufficient permissions

<details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Work on this issue](https://contributors.gitlab.com/manage-issue?action=work&projectId=278964&issueIid=591305) </details>  ## Summary The discussions endpoint masks `author.name` as `"****"` even when the requesting user is a group owner with full permissions on GitLab.com. ## Steps to reproduce 1. Create a new group on GitLab.com 2. Create a new project within that group 3. Create a new user or bot account (e.g., `ai-reviewer-bot`) 4. Add the bot to the project with Developer role 5. Create a test branch and push code: ```bash git checkout -b test-branch echo "test" > test.txt git add test.txt git commit -m "test" git push -u origin test-branch ``` 6. Create a merge request from `test-branch` to the default branch 7. Add a discussion comment to the MR using the bot's account (or group access token) 8. As the group owner, query the discussions endpoint: ```bash curl -H "PRIVATE-TOKEN: YOUR_PERSONAL_TOKEN" \ "https://gitlab.com/api/v4/projects/{PROJECT_ID}/merge_requests/{MR_IID}/discussions" ``` 9. Observe that `author.name` is masked as `"****"` 10. Query the users endpoint for the same user: ```bash curl -H "PRIVATE-TOKEN: YOUR_PERSONAL_TOKEN" \ "https://gitlab.com/api/v4/users/{USER_ID}" ``` 11. Observe that the actual name is returned (not masked) ## Expected behavior Author name should be visible to group owner in the discussions endpoint ## Actual behavior Author name is masked as `"****"` in the discussions endpoint despite the group owner having full permissions ## Inconsistency - `/api/v4/users/{id}` returns the actual author name - `/api/v4/projects/{id}/merge_requests/{iid}/discussions` masks it as `"****"` The data is clearly accessible (proven by the users endpoint), so the masking is a permission check bug in the discussions endpoint. ## Environment - GitLab.com (SaaS) - Token type: Personal access token (group owner) - Affected endpoint: `GET /api/v4/projects/:id/merge_requests/:merge_request_iid/discussions`

issue