Skip to content

UserNotesCountResolver prevents anonymous access to issue's userNotesCount field

The authorization checks inside of app/graphql/resolvers/user_notes_count_resolver.rb prevent anonymous users to get the userNotesCount field of issues.

This should instead return the number of non-confidential notes, provided that the user can actually read the issue itself.

As it is right now, it prevents anonymous users from getting the list of issues when the userNotesCount is queried.

A workaround is to get the notes field and get the length of the returned nodes array.

Implementation plan

  • Update the authorization checks that are inside app/graphql/resolvers/user_notes_count_resolver.rb
  • Or schedule the userNotesCount for deprecation and removal, and export the count field on the issue's notes connection