Commit fca4d1a5 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-290-graphql-exposed-email' into 'master'

GraphQL User: public_email instead of email

See merge request gitlab-org/security/gitlab!1062
parents 74076e59 03cb51a3
...@@ -19,7 +19,8 @@ module Types ...@@ -19,7 +19,8 @@ module Types
field :state, Types::UserStateEnum, null: false, field :state, Types::UserStateEnum, null: false,
description: 'State of the user' description: 'State of the user'
field :email, GraphQL::STRING_TYPE, null: true, field :email, GraphQL::STRING_TYPE, null: true,
description: 'User email' description: 'User email', method: :public_email,
deprecated: { reason: 'Use public_email', milestone: '13.7' }
field :public_email, GraphQL::STRING_TYPE, null: true, field :public_email, GraphQL::STRING_TYPE, null: true,
description: "User's public email" description: "User's public email"
field :avatar_url, GraphQL::STRING_TYPE, null: true, field :avatar_url, GraphQL::STRING_TYPE, null: true,
......
---
title: 'GraphQL User: do not expose email if set to private'
merge_request:
author:
type: security
...@@ -23392,9 +23392,9 @@ type User { ...@@ -23392,9 +23392,9 @@ type User {
avatarUrl: String avatarUrl: String
""" """
User email User email. Deprecated in 13.7: Use public_email
""" """
email: String email: String @deprecated(reason: "Use public_email. Deprecated in 13.7")
""" """
Group count for the user. Available only when feature flag `user_group_counts` is enabled Group count for the user. Available only when feature flag `user_group_counts` is enabled
......
...@@ -68090,7 +68090,7 @@ ...@@ -68090,7 +68090,7 @@
}, },
{ {
"name": "email", "name": "email",
"description": "User email", "description": "User email. Deprecated in 13.7: Use public_email",
"args": [ "args": [
], ],
...@@ -68099,8 +68099,8 @@ ...@@ -68099,8 +68099,8 @@
"name": "String", "name": "String",
"ofType": null "ofType": null
}, },
"isDeprecated": false, "isDeprecated": true,
"deprecationReason": null "deprecationReason": "Use public_email. Deprecated in 13.7"
}, },
{ {
"name": "groupCount", "name": "groupCount",
...@@ -3527,7 +3527,7 @@ Autogenerated return type of UpdateSnippet. ...@@ -3527,7 +3527,7 @@ Autogenerated return type of UpdateSnippet.
| `assignedMergeRequests` | MergeRequestConnection | Merge Requests assigned to the user | | `assignedMergeRequests` | MergeRequestConnection | Merge Requests assigned to the user |
| `authoredMergeRequests` | MergeRequestConnection | Merge Requests authored by the user | | `authoredMergeRequests` | MergeRequestConnection | Merge Requests authored by the user |
| `avatarUrl` | String | URL of the user's avatar | | `avatarUrl` | String | URL of the user's avatar |
| `email` | String | User email | | `email` **{warning-solid}** | String | **Deprecated:** Use public_email. Deprecated in 13.7 |
| `groupCount` | Int | Group count for the user. Available only when feature flag `user_group_counts` is enabled | | `groupCount` | Int | Group count for the user. Available only when feature flag `user_group_counts` is enabled |
| `groupMemberships` | GroupMemberConnection | Group memberships of the user | | `groupMemberships` | GroupMemberConnection | Group memberships of the user |
| `id` | ID! | ID of the user | | `id` | ID! | ID of the user |
......
...@@ -82,7 +82,7 @@ RSpec.describe 'getting user information' do ...@@ -82,7 +82,7 @@ RSpec.describe 'getting user information' do
'username' => presenter.username, 'username' => presenter.username,
'webUrl' => presenter.web_url, 'webUrl' => presenter.web_url,
'avatarUrl' => presenter.avatar_url, 'avatarUrl' => presenter.avatar_url,
'email' => presenter.email, 'email' => presenter.public_email,
'publicEmail' => presenter.public_email 'publicEmail' => presenter.public_email
)) ))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment