Add field authorization to Pipeline fields [RUN ALL RSPEC] [RUN AS-IF-FOSS]
requested to merge 329695-add-read_commit_status-field-authorization-to-pipeline-fields-that-can-return-jobs into master
What does this MR do?
This MR addresses the bug seen in #329695 (closed), where we were returning stages and groups to users without jobs in them.
This was due to the fact that we made group-by queries for jobs first, and only later in the GQL query life-cycle (right at the end) do we redact unauthorized information.
Quite apart from the performance benefits of not running queries we know cannot return any results, the current approach runs the risk of exposing data (stage and group names) that is technically unauthorized.
Generally stage and group names are not considered to be security risks, but we should not be exposing them to guest users (which is what we are doing).
Does this MR meet the acceptance criteria?
Conformity
-
📋 Does this MR need a changelog?-
I have included a changelog entry.
-
-
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Related to #329695 (closed)
Edited by 🤖 GitLab Bot 🤖