Do not show guest users as participants when mentioned on internal note (!90073) · Merge requests · GitLab.org / GitLab

Felipe Cardozo requested to merge issue_361660 into master Jun 13, 2022

What does this MR do and why?

Do not allow guests to be issue/epic participants because of references on confidential notes.

Guest users should also not receive any notification when mentioned on confidential notes.

Important: User mentions are being stored on database, there is a plan to use those records to get the participants when a notification is triggered and avoid having to search for references on all notes every time an email needs to be sent. This MR also prevents storing unauthorized user mentions on the database to prevent leaking information when the refactoring happens.

How to set up and validate locally

Create an issue or epic
Add a guest user to the issue/epic parent
Mention the guest user in a confidential note

What should happen: No emails are sent and the guest user is not present on sidebar as participant. If the guest user is mentioned on another regular note he should be a participant as expected.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jun 22, 2022 by Felipe Cardozo

Do not show guest users as participants when mentioned on internal note

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports