@ck3g I was not aware of that, but it makes sense (up to a point).

This raises some concerns/questions:

• why can you even query a user by their id? This should only be allowed by admins (there is really no reason to it).
• why can do any queries on private instances?

Can we find a middle way of allowing queries by username if the instance is public? (This is almost the same as scraping their userpage) (and check if the user profile is mabye private, not sure if that is done)

What does this MR do and why?

(group) member finder: check if user has read member permission

This permission is checked in the api endpoints, but not for the web frontend. By default all users with access can read the permission, but that can be changed when revoking the permission (in a custom fork).

How to set up and validate locally

Remove all :read_project_member permissions in app/policies/project_policy.rb and then it is still possible to query the members of a public project on the web frontend.

Note: This does not remove TEAM events from the project activity page (yet). This should be done too, otherwise you can simply rebuild the members.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

What does this MR do and why?

when quering the current user (with access token) it now shows if the user is an instance administrator (already possible via rest).

How to set up and validate locally

GraphQL query:

query {
  currentUser {
    admin
  }
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Moritz Zwerger (8c6b9a5e) at 15 Mar 16:05

Moritz Zwerger (f76e3ce7) at 15 Mar 16:04

What does this MR do and why?

graphql: allow unauthenticated users to query users

This is needed for viewing user profile pages. This should not impose any new risk, as all details are possible to query with html scraping. GraphQL only makes this machine readable.

Maybe removing the whole authorize! parth is better, not sure.

References

Fixes #588801

How to set up and validate locally

GraphQL request:

query {
  user(username: "bixilon") {
      username
  }
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

It can either be a repository or the container needs to provides the repository. The function is only called for either Repository, Tree or TreeEntry, the latter both have the .repository, so this should be fine (and if not is throws an error, that is also "fine")

Moritz Zwerger (dee45b7c) at 14 Mar 20:45

What does this MR do and why?

Adds the last commit in graphql tree exploring.

This is currently done via "rest" (call to https://gitlab.com/gitlab-community/gitlab-org/gitlab/-/refs/master/logs_tree/?format=json&offset=0). It is much cleaner and more convenient via graphql.

Currently (without using the "rest" api) I need to do a separate graphql request (lastCommit for the path) for each submodule/folder/blob. This hammes gitlab with many requests.

How to set up and validate locally

GraphQL request:

query {
    project(fullPath: "james.garfield/non") {
    repository {
      tree(ref: "master", recursive: false) {
        blobs {
          nodes {              
            lastCommit {
                id
                sha
            }
          }
        }
      }
    }
  }
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Moritz Zwerger (e5a7b14f) at 14 Mar 20:43

What does this MR do and why?

graphql: expose diffs stats for commits

(This is already exposed via "rest" call to /${project/-/commit/${sha}/diffs_stats). Makes things simpler 😄 (and potentially removes another rest call in the web client when loading a commit).

Not sure, in merge requests the same stat is called diffStatsSummary, maybe that is a better name (don't think so)

References

Fixes #366639

How to set up and validate locally

Following graphql request:

query {
  project(fullPath: "gitlab-community/gitlab-org/gitlab") {
    repository {
      commit(ref: "c2d6268632962602ff93c7304e6d7dff6316314c") {
        diffsStats {
          additions
        }
      }
    }
  }
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Moritz Zwerger (f96aea84) at 14 Mar 20:37

What does this MR do and why?

graphql: allow guests to fetch statistics about project

References

Fixes #30464

How to set up and validate locally

GraphQL request, see issue.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Moritz Zwerger (c2d62686) at 14 Mar 20:30

Moritz Zwerger (177c11a9) at 14 Mar 20:28

Moritz Zwerger (99ad0ede) at 23 Feb 16:23

Oh yes, that indeed fixes the pipeline. Thanks for the help! All set from my side.