Check authorization to view billableMembersCount via GraphQL
What does this MR do and why?
In #322815 (comment 864427923) it was raised that only certain user roles should have access to billableMembersCount
which is being exposed via GraphQL
This MR adds the authorization check and updates the specs accordingly
How to set up and validate locally
- Navigate to
http://localhost:3000/-/graphql-explorer
- Query a group with the following:
query { group(fullPath: "path/to/group/here"){ billableMembersCount } }
- Try the same query when logged in as the owner/developer/guest/etc
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.