Skip to content

Add User.location to GraphQL API

Alex Kalderimis requested to merge ajk-graphql-user-location into master

What does this MR do?

This adds a field to the GraphQL API which is present in the REST API. Specifically location.

GraphQL queries

query {
 currentUser {
   name
   location
 }
}

Representative result:

{
  "data": {
    "currentUser": {
      "name": "Alex Kalderimis",
      "location": "Cambridge, UK"
    }
  }
}

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

This MR exposes an additional field that is already available through the REST API. It does not present any new risks, and the nature of GraphQL is that new fields do not affect existing queries.

Security

This MR exposes Personally Identifying Information (PII), so requires a security review. This is currently protected by the policy :read_user (which is the same as for the users/:username REST endpoint).

We could potentially further protect this behind :read_user_location.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Alex Kalderimis

Merge request reports

Loading