[go: up one dir, main page]

Hide the `created_by` attribute from group/project non-admins

Abdul Wadoodrequested to merge
219230-hide-created-at-from-non-admins into master

What does this MR do and why?

This is a follow-up of !144638 (merged).

After we enable the webui_members_inherited_users feature flag, we'll start returning the invited private group members to the project/group members for the /source/:id/members/all & /source/:id/members/all/:user_id APIs. Here we're hiding the created_at attribute from the non-admins of the shared group/project.

This is required because sometimes the members are added by project/group bots and therefore the created_by can reveal some information about the group like the group name. This is not a security issue but might be a privacy concern for some users.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

For project:

  1. Enable the feature flag: Feature.enable(:webui_members_inherited_users).
  2. Login using user1 and create 2 private groups called Group1 & Invited-group.
  3. Create Shared-project under Group1
  4. Invite user2 to Invited-group and user3 to Shared-project with Developer access.
  5. Now invite Invited-group to Shared-project using the Invite a group button on https://gdk.test:3000/group1/shared-project/-/project_members
  6. Now log in using user3.
  7. Check out this branch and call this API using the Shared-project id https://gdk.test:3000/api/v4/projects/:id/members/all.
  8. The created_by attribute should not be present for user2

For group:

Create a group called Shared-group instead of Shared-project and repeat the above steps.

Related to #219230 (closed)

Edited by Abdul Wadood

Merge request reports