Merge branch 'sfang-do-not-show-token-name' into 'master'

Do not expose user name if user is project bot See merge request gitlab-org/gitlab!54022

Merge branch 'sfang-do-not-show-token-name' into 'master'
Do not expose user name if user is project bot See merge request gitlab-org/gitlab!54022
37814a05 · Etienne Baqué · 13871f84 · 343df1dd · 37814a05 · 37814a05
Commit 37814a05 authored Mar 03, 2021 by Etienne Baqué
5 changed files
--- a/changelogs/unreleased/sfang-do-not-show-token-name.yml
+++ b/changelogs/unreleased/sfang-do-not-show-token-name.yml
+---
+title: Do not expose user name if user is project bot
+merge_request: 54022
+author:
+type: changed
--- a/lib/api/entities/user_safe.rb
+++ b/lib/api/entities/user_safe.rb
@@ -3,7 +3,8 @@
 module API
  module Entities
    class UserSafe < Grape::Entity
-      expose :id, :name, :username
+      expose :id, :username
+      expose :name, unless: ->(user) { user.project_bot? && !options[:current_user].admin?}
    end
  end
 end
--- a/spec/features/projects/members/list_spec.rb
+++ b/spec/features/projects/members/list_spec.rb
@@ -127,7 +127,7 @@ RSpec.describe 'Project members list' do
      it 'does not show form used to change roles and "Expiration date" or the remove user button' do
        visit_members_page

-        page.within find_member_row(project_bot) do
+        page.within find_username_row(project_bot) do
          expect(page).not_to have_button('Maintainer')
          expect(page).to have_field('Expiration date', disabled: true)
          expect(page).not_to have_button('Remove member')

--- a/spec/lib/api/entities/user_spec.rb
+++ b/spec/lib/api/entities/user_spec.rb
@@ -35,4 +35,22 @@ RSpec.describe API::Entities::User do
      expect(subject[:bot]).to eq(true)
    end
  end
+
+  context 'with project bot user' do
+    let(:user) { create(:user, :project_bot) }
+
+    context 'when the requester is not an admin' do
+      it 'does not expose project bot user name' do
+        expect(subject).not_to include(:name)
+      end
+    end
+
+    context 'when the requester is an admin' do
+      let(:current_user) { create(:user, :admin) }
+
+      it 'exposes project bot user name' do
+        expect(subject).to include(:name)
+      end
+    end
+  end
 end
--- a/spec/support/helpers/features/members_table_helpers.rb
+++ b/spec/support/helpers/features/members_table_helpers.rb
@@ -41,6 +41,10 @@ module Spec
            find_row(user.name)
          end

+          def find_username_row(user)
+            find_row(user.username)
+          end
+
          def find_invited_member_row(email)
            find_row(email)
          end