diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-04 16:49:26 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-04 16:49:26 +0000 |
commit | 66ebf02c05dc69a65731d61baf28ef3335db2bbf (patch) | |
tree | e82468af43b2fec9a4d841457d41d183b7a9d5e7 | |
parent | d00f14d73f41129f9d986d4bec32f1f927b525a6 (diff) | |
download | gitlab-ce-66ebf02c05dc69a65731d61baf28ef3335db2bbf.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee
-rw-r--r-- | app/graphql/types/user_type.rb | 2 | ||||
-rw-r--r-- | changelogs/unreleased/security-290-graphql-exposed-email.yml | 5 | ||||
-rw-r--r-- | spec/requests/api/graphql/user_query_spec.rb | 2 |
3 files changed, 7 insertions, 2 deletions
diff --git a/app/graphql/types/user_type.rb b/app/graphql/types/user_type.rb index 11c5369f726..2bb2284f8b0 100644 --- a/app/graphql/types/user_type.rb +++ b/app/graphql/types/user_type.rb @@ -19,7 +19,7 @@ module Types field :state, Types::UserStateEnum, null: false, description: 'State of the user' field :email, GraphQL::STRING_TYPE, null: true, - description: 'User email' + description: 'User email', method: :public_email field :avatar_url, GraphQL::STRING_TYPE, null: true, description: "URL of the user's avatar" field :web_url, GraphQL::STRING_TYPE, null: false, diff --git a/changelogs/unreleased/security-290-graphql-exposed-email.yml b/changelogs/unreleased/security-290-graphql-exposed-email.yml new file mode 100644 index 00000000000..8b07bb1342f --- /dev/null +++ b/changelogs/unreleased/security-290-graphql-exposed-email.yml @@ -0,0 +1,5 @@ +--- +title: 'GraphQL User: do not expose email if set to private' +merge_request: +author: +type: security diff --git a/spec/requests/api/graphql/user_query_spec.rb b/spec/requests/api/graphql/user_query_spec.rb index 738e120549e..ef313504388 100644 --- a/spec/requests/api/graphql/user_query_spec.rb +++ b/spec/requests/api/graphql/user_query_spec.rb @@ -82,7 +82,7 @@ RSpec.describe 'getting user information' do 'username' => presenter.username, 'webUrl' => presenter.web_url, 'avatarUrl' => presenter.avatar_url, - 'email' => presenter.email + 'email' => presenter.public_email )) expect(graphql_data['user']['status']).to match( |