Merge branch 'read-project-bot-names' into 'master'

Users who can read project should be able to read project bot name See merge request gitlab-org/gitlab!78319

Merge branch 'read-project-bot-names' into 'master'
Users who can read project should be able to read project bot name See merge request gitlab-org/gitlab!78319
b99ebc5d · Vasilii Iakliushin · 9391ddd8 · 933798cc · b99ebc5d · b99ebc5d
Commit b99ebc5d authored Jan 21, 2022 by Vasilii Iakliushin
5 changed files
--- a/app/graphql/types/user_interface.rb
+++ b/app/graphql/types/user_interface.rb
@@ -31,7 +31,7 @@ module Types
          null: false,
          resolver_method: :redacted_name,
          description: 'Human-readable name of the user. ' \
-          'Will return `****` if the user is a project bot and the requester does not have permission to read resource access tokens.'
+          'Returns `****` if the user is a project bot and the requester does not have permission to view the project.'
    field :state,
          type: Types::UserStateEnum,
@@ -127,7 +127,7 @@ module Types
    def redacted_name
      return object.name unless object.project_bot?
-      return object.name if context[:current_user]&.can?(:read_resource_access_tokens, object.projects.first)
+      return object.name if context[:current_user]&.can?(:read_project, object.projects.first)
      # If the requester does not have permission to read the project bot name,
      # the API returns an arbitrary string. UI changes will be addressed in a follow up issue:

--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -12025,7 +12025,7 @@ A user assigned to a merge request.
 | <a id="mergerequestassigneeid"></a>`id` | [`ID!`](#id) | ID of the user. |
 | <a id="mergerequestassigneelocation"></a>`location` | [`String`](#string) | Location of the user. |
 | <a id="mergerequestassigneemergerequestinteraction"></a>`mergeRequestInteraction` | [`UserMergeRequestInteraction`](#usermergerequestinteraction) | Details of this user's interactions with the merge request. |
-| <a id="mergerequestassigneename"></a>`name` | [`String!`](#string) | Human-readable name of the user. Will return `****` if the user is a project bot and the requester does not have permission to read resource access tokens. |
+| <a id="mergerequestassigneename"></a>`name` | [`String!`](#string) | Human-readable name of the user. Returns `****` if the user is a project bot and the requester does not have permission to view the project. |
 | <a id="mergerequestassigneenamespace"></a>`namespace` | [`Namespace`](#namespace) | Personal namespace of the user. |
 | <a id="mergerequestassigneeprojectmemberships"></a>`projectMemberships` | [`ProjectMemberConnection`](#projectmemberconnection) | Project memberships of the user. (see [Connections](#connections)) |
 | <a id="mergerequestassigneepublicemail"></a>`publicEmail` | [`String`](#string) | User's public email. |
@@ -12280,7 +12280,7 @@ A user assigned to a merge request as a reviewer.
 | <a id="mergerequestreviewerid"></a>`id` | [`ID!`](#id) | ID of the user. |
 | <a id="mergerequestreviewerlocation"></a>`location` | [`String`](#string) | Location of the user. |
 | <a id="mergerequestreviewermergerequestinteraction"></a>`mergeRequestInteraction` | [`UserMergeRequestInteraction`](#usermergerequestinteraction) | Details of this user's interactions with the merge request. |
-| <a id="mergerequestreviewername"></a>`name` | [`String!`](#string) | Human-readable name of the user. Will return `****` if the user is a project bot and the requester does not have permission to read resource access tokens. |
+| <a id="mergerequestreviewername"></a>`name` | [`String!`](#string) | Human-readable name of the user. Returns `****` if the user is a project bot and the requester does not have permission to view the project. |
 | <a id="mergerequestreviewernamespace"></a>`namespace` | [`Namespace`](#namespace) | Personal namespace of the user. |
 | <a id="mergerequestreviewerprojectmemberships"></a>`projectMemberships` | [`ProjectMemberConnection`](#projectmemberconnection) | Project memberships of the user. (see [Connections](#connections)) |
 | <a id="mergerequestreviewerpublicemail"></a>`publicEmail` | [`String`](#string) | User's public email. |
@@ -15501,7 +15501,7 @@ Core represention of a GitLab user.
 | <a id="usercoregroupmemberships"></a>`groupMemberships` | [`GroupMemberConnection`](#groupmemberconnection) | Group memberships of the user. (see [Connections](#connections)) |
 | <a id="usercoreid"></a>`id` | [`ID!`](#id) | ID of the user. |
 | <a id="usercorelocation"></a>`location` | [`String`](#string) | Location of the user. |
-| <a id="usercorename"></a>`name` | [`String!`](#string) | Human-readable name of the user. Will return `****` if the user is a project bot and the requester does not have permission to read resource access tokens. |
+| <a id="usercorename"></a>`name` | [`String!`](#string) | Human-readable name of the user. Returns `****` if the user is a project bot and the requester does not have permission to view the project. |
 | <a id="usercorenamespace"></a>`namespace` | [`Namespace`](#namespace) | Personal namespace of the user. |
 | <a id="usercoreprojectmemberships"></a>`projectMemberships` | [`ProjectMemberConnection`](#projectmemberconnection) | Project memberships of the user. (see [Connections](#connections)) |
 | <a id="usercorepublicemail"></a>`publicEmail` | [`String`](#string) | User's public email. |
@@ -18736,7 +18736,7 @@ Implementations:
 | <a id="usergroupmemberships"></a>`groupMemberships` | [`GroupMemberConnection`](#groupmemberconnection) | Group memberships of the user. (see [Connections](#connections)) |
 | <a id="userid"></a>`id` | [`ID!`](#id) | ID of the user. |
 | <a id="userlocation"></a>`location` | [`String`](#string) | Location of the user. |
-| <a id="username"></a>`name` | [`String!`](#string) | Human-readable name of the user. Will return `****` if the user is a project bot and the requester does not have permission to read resource access tokens. |
+| <a id="username"></a>`name` | [`String!`](#string) | Human-readable name of the user. Returns `****` if the user is a project bot and the requester does not have permission to view the project. |
 | <a id="usernamespace"></a>`namespace` | [`Namespace`](#namespace) | Personal namespace of the user. |
 | <a id="userprojectmemberships"></a>`projectMemberships` | [`ProjectMemberConnection`](#projectmemberconnection) | Project memberships of the user. (see [Connections](#connections)) |
 | <a id="userpublicemail"></a>`publicEmail` | [`String`](#string) | User's public email. |
--- a/doc/user/project/settings/project_access_tokens.md
+++ b/doc/user/project/settings/project_access_tokens.md
@@ -42,7 +42,7 @@ To create a project access token:
 1. On the top bar, select **Menu > Projects** and find your project.
 1. On the left sidebar, select **Settings > Access Tokens**.
-1. Enter a name.
+1. Enter a name. The token name is visible to any user with permissions to view the project.
 1. Optional. Enter an expiry date for the token. The token will expire on that date at midnight UTC.
 1. Select a role for the token.
 1. Select the [desired scopes](#scopes-for-a-project-access-token).

--- a/lib/api/entities/user_safe.rb
+++ b/lib/api/entities/user_safe.rb
@@ -7,7 +7,7 @@ module API
      expose :name do |user|
        next user.name unless user.project_bot?
-        next user.name if options[:current_user]&.can?(:read_resource_access_tokens, user.projects.first)
+        next user.name if options[:current_user]&.can?(:read_project, user.projects.first)
        # If the requester does not have permission to read the project bot name,
        # the API returns an arbitrary string. UI changes will be addressed in a follow up issue:

--- a/spec/graphql/types/user_type_spec.rb
+++ b/spec/graphql/types/user_type_spec.rb
@@ -67,14 +67,14 @@ RSpec.describe GitlabSchema.types['User'] do
      )
    end
-    subject { GitlabSchema.execute(query, context: { current_user: current_user }).as_json.dig('data', 'user', 'name') }
+    subject(:user_name) { GitlabSchema.execute(query, context: { current_user: current_user }).as_json.dig('data', 'user', 'name') }
    context 'user requests' do
      let(:current_user) { user }
      context 'a user' do
        it 'returns name' do
-          expect(subject).to eq('John Smith')
+          expect(user_name).to eq('John Smith')
        end
      end
@@ -85,21 +85,39 @@ RSpec.describe GitlabSchema.types['User'] do
          let(:current_user) { nil }
          it 'returns `****`' do
-            expect(subject).to eq('****')
+            expect(user_name).to eq('****')
          end
        end
-        it 'returns `****` for a regular user' do
+        context 'when the requester is not a project member' do
-          expect(subject).to eq('****')
+          it 'returns `Project bot` for a non project member in a public project' do
+            expect(user_name).to eq('Project bot')
+          end
+          context 'in a private project' do
+            let(:project) { create(:project, :private) }
+            it 'returns `****` for a non project member in a private project' do
+              expect(user_name).to eq('****')
+            end
+          end
        end
-        context 'when requester is a project maintainer' do
+        context 'with a project member' do
          before do
-            project.add_maintainer(user)
+            project.add_guest(user)
+          end
+          it 'returns `Project bot` for a project member' do
+            expect(user_name).to eq('Project bot')
          end
-          it 'returns name' do
+          context 'in a private project' do
-            expect(subject).to eq('Project bot')
+            let(:project) { create(:project, :private) }
+            it 'returns `Project bot` for a project member in a private project' do
+              expect(user_name).to eq('Project bot')
+            end
          end
        end
      end