Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee

66ebf02c · GitLab Bot · d00f14d7 · 66ebf02c · 66ebf02c · 66ebf02c
Commit 66ebf02c authored Dec 04, 2020 by GitLab Bot
3 changed files
--- a/app/graphql/types/user_type.rb
+++ b/app/graphql/types/user_type.rb
@@ -19,7 +19,7 @@ module Types
    field :state, Types::UserStateEnum, null: false,
          description: 'State of the user'
    field :email, GraphQL::STRING_TYPE, null: true,
-          description: 'User email'
+          description: 'User email', method: :public_email
    field :avatar_url, GraphQL::STRING_TYPE, null: true,
          description: "URL of the user's avatar"
    field :web_url, GraphQL::STRING_TYPE, null: false,

--- a/changelogs/unreleased/security-290-graphql-exposed-email.yml
+++ b/changelogs/unreleased/security-290-graphql-exposed-email.yml
+---
+title: 'GraphQL User: do not expose email if set to private'
+merge_request:
+author:
+type: security
--- a/spec/requests/api/graphql/user_query_spec.rb
+++ b/spec/requests/api/graphql/user_query_spec.rb
@@ -82,7 +82,7 @@ RSpec.describe 'getting user information' do
            'username' => presenter.username,
            'webUrl' => presenter.web_url,
            'avatarUrl' => presenter.avatar_url,
-            'email' => presenter.email
+            'email' => presenter.public_email
          ))

        expect(graphql_data['user']['status']).to match(