Skip to content

Draft: Hide issues created by banned users [RUN ALL RSPEC] [RUN AS-IF-FOSS]

Serena Fang requested to merge hide-issues-made-by-banned-users into master

What does this MR do?

Epic: &5741

Issue: #327355 (closed)

Follow up to !61292 (merged)

Malicious actors create many issues in public projects/groups for spam. We need a way to be able to hide their issues until they can be reviewed and deemed safe. This MR hides issues created by banned users from non-admins. Admin users can still see the hidden issues.

Database

With check for banned users:

explain SELECT "issues".* FROM "issues" INNER JOIN "users" ON "users"."id" = "issues"."author_id" WHERE (users.state != 'banned') AND ( issues.confidential IS NOT TRUE OR (issues.confidential = TRUE AND (issues.author_id = 5966677 OR EXISTS (SELECT TRUE FROM issue_assignees WHERE user_id = 5966677 AND issue_id = issues.id) OR EXISTS (SELECT 1 FROM "project_authorizations" WHERE "project_authorizations"."user_id" = 5966677 AND (project_authorizations.project_id = issues.project_id) AND (project_authorizations.access_level >= 20))))) AND "issues"."project_id" = 278964 AND ("issues"."state_id" IN (1)) AND "issues"."issue_type" IN (0, 1) ORDER BY "issues"."created_at" DESC, "issues"."id" DESC LIMIT 20 OFFSET 0

https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/4434/commands/15492

Without check for banned users:

explain SELECT "issues".* FROM "issues" WHERE ( issues.confidential IS NOT TRUE OR (issues.confidential = TRUE AND (issues.author_id = 5966677 OR EXISTS (SELECT TRUE FROM issue_assignees WHERE user_id = 5966677 AND issue_id = issues.id) OR EXISTS (SELECT 1 FROM "project_authorizations" WHERE "project_authorizations"."user_id" = 5966677 AND (project_authorizations.project_id = issues.project_id) AND (project_authorizations.access_level >= 20))))) AND "issues"."project_id" = 278964 AND ("issues"."state_id" IN (1)) AND "issues"."issue_type" IN (0, 1) ORDER BY "issues"."created_at" DESC, "issues"."id" DESC LIMIT 20 OFFSET 0

https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/4434/commands/15493

Screenshots (strongly suggested)

When current user is admin:

The issue count includes hidden issues, which are indicated with the spam icon which has a tooltip explaining why the issue is hidden.

Screen_Shot_2021-06-01_at_4.01.29_PM

Admin is able to view hidden issue normally.

Screen_Shot_2021-06-01_at_4.09.11_PM

When impersonating a group member:

The issue count includes confidential issues but NOT hidden issues.

Screen_Shot_2021-06-01_at_4.05.29_PM

Group member is not able to view hidden issue.

Screen_Shot_2021-06-01_at_4.08.11_PM

When impersonating a non group member:

The issue count does not include confidential issues or hidden issues, and the user cannot view confidential issues or hidden issues.

Screen_Shot_2021-06-01_at_4.14.30_PM

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Serena Fang

Merge request reports