Project approval rules are visible to developer users with REST API, but invisible via GraphQL
Summary
A customer in this internal ticket has noticed a difference in behaviour between GraphQL and Rest API. GraphQL ApprovalProjectRule resource doesn't list approval rules for developer users while Get project-level rules REST API does list the rules for the same user. The same Personal access token is used to run REST API queries and GraphQL. The scope of the token is api, read_api. The user role is Developer.
GraphQL query to get ApprovalProjectRule
curl --header "PRIVATE-TOKEN: $GRAPHQL_TOKEN" "https://main.gitlab.egrechishkina.com/api/v4/projects/338/approval_rules"GraphQL query result
{
"data": {
"queryComplexity": {
"limit": 250,
"score": 53
},
"project": {
"id": "gid://gitlab/Project/338",
"branchRules": {
"nodes": []
},
"scanResultPolicies": {
"nodes": []
}
}
}
}
Get project-level rules REST API
curl --header "PRIVATE-TOKEN: $GRAPHQL_TOKEN" "https://main.gitlab.egrechishkina.com/api/v4/projects/338/approval_rules"REST API output
[ { "id": 6, "name": "test_approval", "rule_type": "regular", "eligible_approvers": [ { "id": 36, "username": "annperkins", "name": "Ann Perkins", "state": "active", "locked": false, "avatar_url": "https://secure.gravatar.com/avatar/507b4eef8ed8ee37642b5d04504ab030?s=80&d=identicon", "web_url": "https://main.gitlab.egrechishkina.com/annperkins" } ], "approvals_required": 1, "users": [ { "id": 36, "username": "annperkins", "name": "Ann Perkins", "state": "active", "locked": false, "avatar_url": "https://secure.gravatar.com/avatar/507b4eef8ed8ee37642b5d04504ab030?s=80&d=identicon", "web_url": "https://main.gitlab.egrechishkina.com/annperkins" } ], "groups": [], "contains_hidden_groups": false, "protected_branches": [ { "id": 278, "name": "main", "push_access_levels": [ { "id": 278, "access_level": 40, "access_level_description": "Maintainers", "deploy_key_id": null, "user_id": null, "group_id": null } ], "merge_access_levels": [ { "id": 279, "access_level": 40, "access_level_description": "Maintainers", "user_id": null, "group_id": null } ], "allow_force_push": false, "unprotect_access_levels": [], "code_owner_approval_required": false, "inherited": false } ], "applies_to_all_protected_branches": false } ]
Steps to reproduce
- Create a project that has approval rules
- Add a user with Developer role to it
- Create a Personal access token for that user, make sure it has
apiandread_apiscope - Run the queries listed in the Summary section above.
Example Project
What is the current bug behavior?
There is a difference in what is allowed with GraphQL and RestAPI in regards to viewing project approval rules.
What is the expected correct behavior?
There should be no difference. The expected behaviour for customers is to get the same results.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)