Users who can read group should read group token

Changelog: fixed

Users who can read group should read group token
Changelog: fixed
7fa72910 · Serena Fang · Douglas Barbosa Alexandre · 86a01c36 · 7fa72910 · 7fa72910
Commit 7fa72910 authored Feb 28, 2022 by Serena Fang Committed by Douglas Barbosa Alexandre Mar 08, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

app/graphql/types/user_interface.rb app/graphql/types/user_interface.rb +4 -0

lib/api/entities/user_safe.rb lib/api/entities/user_safe.rb +4 -0

No files found.
--- a/app/graphql/types/user_interface.rb
+++ b/app/graphql/types/user_interface.rb
@@ -136,6 +136,10 @@ module Types
    def redacted_name
      return object.name unless object.project_bot?

+      if object.groups
+        return object.name if context[:current_user]&.can?(:read_group, object.groups.first)
+      end
+
      return object.name if context[:current_user]&.can?(:read_project, object.projects.first)

      # If the requester does not have permission to read the project bot name,

--- a/lib/api/entities/user_safe.rb
+++ b/lib/api/entities/user_safe.rb
@@ -11,6 +11,10 @@ module API

        current_user = request.respond_to?(:current_user) ? request.current_user : options.fetch(:current_user, nil)

+        if user.groups
+          next user.name if current_user&.can?(:read_group, user.groups.first)
+        end
+
        next user.name if current_user&.can?(:read_project, user.projects.first)

        # If the requester does not have permission to read the project bot name,