Do not show participants invisible to the user
What does this MR do and why?
- Contributes to #277376 (closed)
- Feature flag: #347407 (closed)
Problem
We expose participants that the current user cannot see because we don't provide the current user as an argument to participants method in GraphQL. When the user is missing, then we use the author of the issuable permissions to fetch participants.
Solution
- Add GraphQL resolver to participants field
- Return only visible participants for issues/MRs API
- Verify that participable object is readable by the user
- Remove fallback to the author when the current user is not set
Screenshots or screen recordings
| User | Before | After |
|---|---|---|
| Unauthorized |  |
 |
| Guest |  |
 |
| Admin |  |
|
How to set up and validate locally
- Create or choose a public project
- Create or find a merge request in this project
- Create an issue in a private project
- Create a note on this issue with a link to the merge request from step 2
- Only users that have access to private project issues should see an author of the note in the participants list
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Vasilii Iakliushin