Expose user email to group managed account owners
What does this MR do?
Refs #209022 (closed)
Expose group managed account (GMA) email addresses to GMA owners on group and project membership REST API requests. Specifically, the membership GET requests described at https://docs.gitlab.com/ee/api/members.html
GMA is a User
that belongs to a Group
via the Group#managing_group
attribute. Described in the code here.
The code changes were minimal. But the UserBasic
entity serializer is used by multiple endpoints so there were many specs required. Project and Group specs were nearly all the same except for a couple of inherited member queries.
The biggest risk with this MR is incorrectly exposing email addresses. I took great care on the specs and tried to make them easy to follow to help combat this risk.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides - [-] Database guides
-
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
- [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team
Closes #209022 (closed)