Merge branch 'security-290-graphql-exposed-email' into 'master'

GraphQL User: public_email instead of email See merge request gitlab-org/security/gitlab!1062

Merge branch 'security-290-graphql-exposed-email' into 'master'
GraphQL User: public_email instead of email See merge request gitlab-org/security/gitlab!1062
fca4d1a5 · GitLab Release Tools Bot · 74076e59 · 03cb51a3 · fca4d1a5 · fca4d1a5
Commit fca4d1a5 authored Dec 01, 2020 by GitLab Release Tools Bot
6 changed files
--- a/app/graphql/types/user_type.rb
+++ b/app/graphql/types/user_type.rb
@@ -19,7 +19,8 @@ module Types
    field :state, Types::UserStateEnum, null: false,
          description: 'State of the user'
    field :email, GraphQL::STRING_TYPE, null: true,
-          description: 'User email'
+          description: 'User email', method: :public_email,
+          deprecated: { reason: 'Use public_email', milestone: '13.7' }
    field :public_email, GraphQL::STRING_TYPE, null: true,
          description: "User's public email"
    field :avatar_url, GraphQL::STRING_TYPE, null: true,

--- a/changelogs/unreleased/security-290-graphql-exposed-email.yml
+++ b/changelogs/unreleased/security-290-graphql-exposed-email.yml
+---
+title: 'GraphQL User: do not expose email if set to private'
+merge_request:
+author:
+type: security
--- a/doc/api/graphql/reference/gitlab_schema.graphql
+++ b/doc/api/graphql/reference/gitlab_schema.graphql
@@ -23392,9 +23392,9 @@ type User {
  avatarUrl: String

  """
-  User email
+  User email. Deprecated in 13.7: Use public_email
  """
-  email: String
+  email: String @deprecated(reason: "Use public_email. Deprecated in 13.7")

  """
  Group count for the user. Available only when feature flag `user_group_counts` is enabled

--- a/doc/api/graphql/reference/gitlab_schema.json
+++ b/doc/api/graphql/reference/gitlab_schema.json
@@ -68090,7 +68090,7 @@
            },
            {
              "name": "email",
-              "description": "User email",
+              "description": "User email. Deprecated in 13.7: Use public_email",
              "args": [

              ],
@@ -68099,8 +68099,8 @@
                "name": "String",
                "ofType": null
              },
-              "isDeprecated": false,
-              "deprecationReason": null
+              "isDeprecated": true,
+              "deprecationReason": "Use public_email. Deprecated in 13.7"
            },
            {
              "name": "groupCount",
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -3527,7 +3527,7 @@ Autogenerated return type of UpdateSnippet.
 | `assignedMergeRequests` | MergeRequestConnection | Merge Requests assigned to the user |
 | `authoredMergeRequests` | MergeRequestConnection | Merge Requests authored by the user |
 | `avatarUrl` | String | URL of the user's avatar |
-| `email` | String | User email |
+| `email` **{warning-solid}** | String | **Deprecated:** Use public_email. Deprecated in 13.7 |
 | `groupCount` | Int | Group count for the user. Available only when feature flag `user_group_counts` is enabled |
 | `groupMemberships` | GroupMemberConnection | Group memberships of the user |
 | `id` | ID! | ID of the user |

--- a/spec/requests/api/graphql/user_query_spec.rb
+++ b/spec/requests/api/graphql/user_query_spec.rb
@@ -82,7 +82,7 @@ RSpec.describe 'getting user information' do
            'username' => presenter.username,
            'webUrl' => presenter.web_url,
            'avatarUrl' => presenter.avatar_url,
-            'email' => presenter.email,
+            'email' => presenter.public_email,
            'publicEmail' => presenter.public_email
          ))