Commit a8491706 authored by Jan Provaznik's avatar Jan Provaznik Committed by Marin Jankovski

Use BasicGroupDetails for rendering a board group

If group entity is not set, all group attributes are
exposed to user which may lead to exposing sensitive attributes.
parent f67f274e
...@@ -31,32 +31,7 @@ Example response: ...@@ -31,32 +31,7 @@ Example response:
"group": { "group": {
"id": 5, "id": 5,
"name": "Documentcloud", "name": "Documentcloud",
"path": "documentcloud", "web_url": "http://example.com/groups/documentcloud"
"owner_id": null,
"created_at": "2018-05-07T06:52:45.788Z",
"updated_at": "2018-07-03T06:48:17.005Z",
"description": "Consequatur aut a aperiam ut.",
"avatar": {
"url": null
},
"membership_lock": false,
"share_with_group_lock": false,
"visibility_level": 20,
"request_access_enabled": false,
"ldap_sync_status": "ready",
"ldap_sync_error": null,
"ldap_sync_last_update_at": null,
"ldap_sync_last_successful_update_at": null,
"ldap_sync_last_sync_at": null,
"lfs_enabled": null,
"parent_id": null,
"shared_runners_minutes_limit": null,
"repository_size_limit": null,
"require_two_factor_authentication": false,
"two_factor_grace_period": 48,
"plan_id": null,
"project_creation_level": 2,
"runners_token": "rgeeL-nv4wa9YdRvuMid"
}, },
"milestone": { "milestone": {
"id": 12 "id": 12
...@@ -121,32 +96,7 @@ Example response: ...@@ -121,32 +96,7 @@ Example response:
"group": { "group": {
"id": 5, "id": 5,
"name": "Documentcloud", "name": "Documentcloud",
"path": "documentcloud", "web_url": "http://example.com/groups/documentcloud"
"owner_id": null,
"created_at": "2018-05-07T06:52:45.788Z",
"updated_at": "2018-07-03T06:48:17.005Z",
"description": "Consequatur aut a aperiam ut.",
"avatar": {
"url": null
},
"membership_lock": false,
"share_with_group_lock": false,
"visibility_level": 20,
"request_access_enabled": false,
"ldap_sync_status": "ready",
"ldap_sync_error": null,
"ldap_sync_last_update_at": null,
"ldap_sync_last_successful_update_at": null,
"ldap_sync_last_sync_at": null,
"lfs_enabled": null,
"parent_id": null,
"shared_runners_minutes_limit": null,
"repository_size_limit": null,
"require_two_factor_authentication": false,
"two_factor_grace_period": 48,
"plan_id": null,
"project_creation_level": 2,
"runners_token": "rgeeL-nv4wa9YdRvuMid"
}, },
"milestone": { "milestone": {
"id": 12 "id": 12
...@@ -210,32 +160,7 @@ Example response: ...@@ -210,32 +160,7 @@ Example response:
"group": { "group": {
"id": 5, "id": 5,
"name": "Documentcloud", "name": "Documentcloud",
"path": "documentcloud", "web_url": "http://example.com/groups/documentcloud"
"owner_id": null,
"created_at": "2018-05-07T06:52:45.788Z",
"updated_at": "2018-07-03T06:48:17.005Z",
"description": "Consequatur aut a aperiam ut.",
"avatar": {
"url": null
},
"membership_lock": false,
"share_with_group_lock": false,
"visibility_level": 20,
"request_access_enabled": false,
"ldap_sync_status": "ready",
"ldap_sync_error": null,
"ldap_sync_last_update_at": null,
"ldap_sync_last_successful_update_at": null,
"ldap_sync_last_sync_at": null,
"lfs_enabled": null,
"parent_id": null,
"shared_runners_minutes_limit": null,
"repository_size_limit": null,
"require_two_factor_authentication": false,
"two_factor_grace_period": 48,
"plan_id": null,
"project_creation_level": 2,
"runners_token": "rgeeL-nv4wa9YdRvuMid"
}, },
"milestone": { "milestone": {
"id": 12 "id": 12
...@@ -309,32 +234,7 @@ Example response: ...@@ -309,32 +234,7 @@ Example response:
"group": { "group": {
"id": 5, "id": 5,
"name": "Documentcloud", "name": "Documentcloud",
"path": "documentcloud", "web_url": "http://example.com/groups/documentcloud"
"owner_id": null,
"created_at": "2018-05-07T06:52:45.788Z",
"updated_at": "2018-07-03T06:48:17.005Z",
"description": "Consequatur aut a aperiam ut.",
"avatar": {
"url": null
},
"membership_lock": false,
"share_with_group_lock": false,
"visibility_level": 20,
"request_access_enabled": false,
"ldap_sync_status": "ready",
"ldap_sync_error": null,
"ldap_sync_last_update_at": null,
"ldap_sync_last_successful_update_at": null,
"ldap_sync_last_sync_at": null,
"lfs_enabled": null,
"parent_id": null,
"shared_runners_minutes_limit": null,
"repository_size_limit": null,
"require_two_factor_authentication": false,
"two_factor_grace_period": 48,
"plan_id": null,
"project_creation_level": 2,
"runners_token": "rgeeL-nv3wa6YdRvuMid"
}, },
"milestone": { "milestone": {
"id": 44, "id": 44,
......
---
title: Expose only basic group attributes in boards API.
merge_request:
author:
type: security
...@@ -123,7 +123,7 @@ module EE ...@@ -123,7 +123,7 @@ module EE
prepended do prepended do
# Default filtering configuration # Default filtering configuration
expose :name expose :name
expose :group expose :group, using: ::API::Entities::BasicGroupDetails
with_options if: ->(board, _) { board.parent.feature_available?(:scoped_issue_board) } do with_options if: ->(board, _) { board.parent.feature_available?(:scoped_issue_board) } do
expose :milestone do |board| expose :milestone do |board|
......
...@@ -12,7 +12,20 @@ ...@@ -12,7 +12,20 @@
"labels" "labels"
], ],
"properties": { "properties": {
"group": { "type": ["object", null] }, "group": {
"type": ["object", "null"],
"required": [
"id",
"web_url",
"name"
],
"properties": {
"id": { "type": "integer" },
"web_url": { "type": "string" },
"name": { "type": "string" }
},
"additionalProperties": false
},
"name": { "type": "string" }, "name": { "type": "string" },
"weight": { "type": ["integer", "null"] }, "weight": { "type": ["integer", "null"] },
"assignee": { "assignee": {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment