Merge branch 'group-token-name-visibility' into 'master'

Fix group bot token name in REST API and GraphQL See merge request gitlab-org/gitlab!81843

Merge branch 'group-token-name-visibility' into 'master'
Fix group bot token name in REST API and GraphQL See merge request gitlab-org/gitlab!81843
55cad6a2 · Douglas Barbosa Alexandre · 3342d32b · 17b99900 · 55cad6a2 · 55cad6a2
Commit 55cad6a2 authored Mar 08, 2022 by Douglas Barbosa Alexandre
5 changed files
--- a/app/graphql/types/user_interface.rb
+++ b/app/graphql/types/user_interface.rb
@@ -134,14 +134,7 @@ module Types
    end

    def redacted_name
-      return object.name unless object.project_bot?
-
-      return object.name if context[:current_user]&.can?(:read_project, object.projects.first)
-
-      # If the requester does not have permission to read the project bot name,
-      # the API returns an arbitrary string. UI changes will be addressed in a follow up issue:
-      # https://gitlab.com/gitlab-org/gitlab/-/issues/346058
-      '****'
+      object.redacted_name(context[:current_user])
    end
  end
 end
--- a/app/models/concerns/has_user_type.rb
+++ b/app/models/concerns/has_user_type.rb
@@ -46,4 +46,17 @@ module HasUserType
  def internal?
    ghost? || (bot? && !project_bot?)
  end
+
+  def redacted_name(viewing_user)
+    return self.name unless self.project_bot?
+
+    return self.name if self.groups.any? && viewing_user&.can?(:read_group, self.groups.first)
+
+    return self.name if viewing_user&.can?(:read_project, self.projects.first)
+
+    # If the requester does not have permission to read the project bot name,
+    # the API returns an arbitrary string. UI changes will be addressed in a follow up issue:
+    # https://gitlab.com/gitlab-org/gitlab/-/issues/346058
+    '****'
+  end
 end
--- a/lib/api/entities/user_safe.rb
+++ b/lib/api/entities/user_safe.rb
@@ -5,14 +5,7 @@ module API
    class UserSafe < Grape::Entity
      expose :id, :username
      expose :name do |user|
-        next user.name unless user.project_bot?
-
-        next user.name if options[:current_user]&.can?(:read_project, user.projects.first)
-
-        # If the requester does not have permission to read the project bot name,
-        # the API returns an arbitrary string. UI changes will be addressed in a follow up issue:
-        # https://gitlab.com/gitlab-org/gitlab/-/issues/346058
-        '****'
+        user.redacted_name(options[:current_user])
      end
    end
  end

--- a/spec/graphql/types/user_type_spec.rb
+++ b/spec/graphql/types/user_type_spec.rb
@@ -52,10 +52,13 @@ RSpec.describe GitlabSchema.types['User'] do
    let_it_be(:user) { create(:user) }
    let_it_be(:requested_user) { create(:user, name: 'John Smith') }
    let_it_be(:requested_project_bot) { create(:user, :project_bot, name: 'Project bot') }
+    let_it_be(:requested_group_bot) { create(:user, :project_bot, name: 'Group bot') }
    let_it_be(:project) { create(:project, :public) }
+    let_it_be(:group) { create(:group, :public) }

    before do
      project.add_maintainer(requested_project_bot)
+      group.add_maintainer(requested_group_bot)
    end

    let(:username) { requested_user.username }
@@ -123,6 +126,50 @@ RSpec.describe GitlabSchema.types['User'] do
            end
          end
        end
+
+        context 'a group bot' do
+          let(:username) { requested_group_bot.username }
+
+          context 'when requester is nil' do
+            let(:current_user) { nil }
+
+            it 'returns `****`' do
+              expect(user_name).to eq('****')
+            end
+          end
+
+          context 'when the requester is not a group member' do
+            it 'returns `Group bot` for a non group member in a public group' do
+              expect(user_name).to eq('Group bot')
+            end
+
+            context 'in a private group' do
+              let(:group) { create(:group, :private) }
+
+              it 'returns `****` for a non group member in a private group' do
+                expect(user_name).to eq('****')
+              end
+            end
+          end
+
+          context 'with a group member' do
+            before do
+              group.add_guest(user)
+            end
+
+            it 'returns `Group bot` for a group member' do
+              expect(user_name).to eq('Group bot')
+            end
+
+            context 'in a private group' do
+              let(:group) { create(:group, :private) }
+
+              it 'returns `Group bot` for a group member in a private group' do
+                expect(user_name).to eq('Group bot')
+              end
+            end
+          end
+        end
      end
    end

@@ -142,6 +189,14 @@ RSpec.describe GitlabSchema.types['User'] do
          expect(subject).to eq('Project bot')
        end
      end
+
+      context 'a group bot' do
+        let(:username) { requested_group_bot.username }
+
+        it 'returns name' do
+          expect(subject).to eq('Group bot')
+        end
+      end
    end
  end


--- a/spec/lib/api/entities/user_spec.rb
+++ b/spec/lib/api/entities/user_spec.rb
@@ -78,6 +78,63 @@ RSpec.describe API::Entities::User do
    end
  end

+  context 'with group bot user' do
+    let(:group) { create(:group) }
+    let(:user) { create(:user, :project_bot, name: 'group bot') }
+
+    before do
+      group.add_maintainer(user)
+    end
+
+    it 'exposes user as a bot' do
+      expect(subject[:bot]).to eq(true)
+    end
+
+    context 'when the requester is not a group member' do
+      context 'with a public group' do
+        it 'exposes group bot user name' do
+          expect(subject[:name]).to eq('group bot')
+        end
+      end
+
+      context 'with a private group' do
+        let(:group) { create(:group, :private) }
+
+        it 'does not expose group bot user name' do
+          expect(subject[:name]).to eq('****')
+        end
+      end
+    end
+
+    context 'when the requester is nil' do
+      let(:current_user) { nil }
+
+      it 'does not expose group bot user name' do
+        expect(subject[:name]).to eq('****')
+      end
+    end
+
+    context 'when the requester is a group maintainer' do
+      let(:current_user) { create(:user) }
+
+      before do
+        group.add_maintainer(current_user)
+      end
+
+      it 'exposes group bot user name' do
+        expect(subject[:name]).to eq('group bot')
+      end
+    end
+
+    context 'when the requester is an admin' do
+      let(:current_user) { create(:user, :admin) }
+
+      it 'exposes group bot user name', :enable_admin_mode do
+        expect(subject[:name]).to eq('group bot')
+      end
+    end
+  end
+
  it 'exposes local_time' do
    local_time = '2:30 PM'
    expect(entity).to receive(:local_time).with(timezone).and_return(local_time)