GraphQL User: public_email instead of email

03cb51a3 · Mario de la Ossa · 54e5a8d4 · 03cb51a3 · 03cb51a3 · 03cb51a3
Commit 03cb51a3 authored Nov 05, 2020 by Mario de la Ossa
6 changed files
--- a/app/graphql/types/user_type.rb
+++ b/app/graphql/types/user_type.rb
@@ -19,7 +19,8 @@ module Types
    field :state, Types::UserStateEnum, null: false,
          description: 'State of the user'
    field :email, GraphQL::STRING_TYPE, null: true,
-          description: 'User email'
+          description: 'User email', method: :public_email,
+          deprecated: { reason: 'Use public_email', milestone: '13.7' }
    field :public_email, GraphQL::STRING_TYPE, null: true,
          description: "User's public email"
    field :avatar_url, GraphQL::STRING_TYPE, null: true,

--- a/changelogs/unreleased/security-290-graphql-exposed-email.yml
+++ b/changelogs/unreleased/security-290-graphql-exposed-email.yml
+---
+title: 'GraphQL User: do not expose email if set to private'
+merge_request:
+author:
+type: security
--- a/doc/api/graphql/reference/gitlab_schema.graphql
+++ b/doc/api/graphql/reference/gitlab_schema.graphql
@@ -23295,9 +23295,9 @@ type User {
  avatarUrl: String

  """
-  User email
+  User email. Deprecated in 13.7: Use public_email
  """
-  email: String
+  email: String @deprecated(reason: "Use public_email. Deprecated in 13.7")

  """
  Group count for the user. Available only when feature flag `user_group_counts` is enabled

--- a/doc/api/graphql/reference/gitlab_schema.json
+++ b/doc/api/graphql/reference/gitlab_schema.json
@@ -67704,7 +67704,7 @@
            },
            {
              "name": "email",
-              "description": "User email",
+              "description": "User email. Deprecated in 13.7: Use public_email",
              "args": [

              ],
@@ -67713,8 +67713,8 @@
                "name": "String",
                "ofType": null
              },
-              "isDeprecated": false,
-              "deprecationReason": null
+              "isDeprecated": true,
+              "deprecationReason": "Use public_email. Deprecated in 13.7"
            },
            {
              "name": "groupCount",
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -3487,7 +3487,7 @@ Autogenerated return type of UpdateSnippet.
 | `assignedMergeRequests` | MergeRequestConnection | Merge Requests assigned to the user |
 | `authoredMergeRequests` | MergeRequestConnection | Merge Requests authored by the user |
 | `avatarUrl` | String | URL of the user's avatar |
-| `email` | String | User email |
+| `email` **{warning-solid}** | String | **Deprecated:** Use public_email. Deprecated in 13.7 |
 | `groupCount` | Int | Group count for the user. Available only when feature flag `user_group_counts` is enabled |
 | `groupMemberships` | GroupMemberConnection | Group memberships of the user |
 | `id` | ID! | ID of the user |

--- a/spec/requests/api/graphql/user_query_spec.rb
+++ b/spec/requests/api/graphql/user_query_spec.rb
@@ -82,7 +82,7 @@ RSpec.describe 'getting user information' do
            'username' => presenter.username,
            'webUrl' => presenter.web_url,
            'avatarUrl' => presenter.avatar_url,
-            'email' => presenter.email,
+            'email' => presenter.public_email,
            'publicEmail' => presenter.public_email
          ))