From 979c5452ff300d366f6434d7689bfac0940157ea Mon Sep 17 00:00:00 2001 From: Luke Duncalfe Date: Thu, 7 Feb 2019 12:04:09 +1300 Subject: [PATCH] Removing sensitive properties from ProjectType defaultBranch and ciConfigPath should only be available to users with the :download_code permission for the Project, as the respository might be private. When implementing the authorize check on these properties, it was found that our current Graphql::Authorize::Instrumentation class does not work with fields that resolve to subclasses of GraphQL::Schema::Scalar, like GraphQL::STRING_TYPE. After discussion with other Create Team members, it has been decided that because the GraphQL API is not GA, to remove these properties from ProjectType, and instead implement them as part of epic https://gitlab.com/groups/gitlab-org/-/epics/711 Issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/55316 --- app/graphql/types/project_type.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/app/graphql/types/project_type.rb b/app/graphql/types/project_type.rb index 050706f97be..587e55c611f 100644 --- a/app/graphql/types/project_type.rb +++ b/app/graphql/types/project_type.rb @@ -16,7 +16,6 @@ module Types field :description, GraphQL::STRING_TYPE, null: true - field :default_branch, GraphQL::STRING_TYPE, null: true field :tag_list, GraphQL::STRING_TYPE, null: true field :ssh_url_to_repo, GraphQL::STRING_TYPE, null: true @@ -59,7 +58,6 @@ module Types end field :import_status, GraphQL::STRING_TYPE, null: true - field :ci_config_path, GraphQL::STRING_TYPE, null: true field :only_allow_merge_if_pipeline_succeeds, GraphQL::BOOLEAN_TYPE, null: true field :request_access_enabled, GraphQL::BOOLEAN_TYPE, null: true -- GitLab