Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee

3 files changed, 7 insertions, 2 deletions

diff --git a/app/graphql/types/user_type.rb b/app/graphql/types/user_type.rb
index 11c5369f726..2bb2284f8b0 100644
--- a/app/graphql/types/user_type.rb
+++ b/app/graphql/types/user_type.rb
@@ -19,7 +19,7 @@ module Types
     field :state, Types::UserStateEnum, null: false,
           description: 'State of the user'
     field :email, GraphQL::STRING_TYPE, null: true,
-          description: 'User email'
+          description: 'User email', method: :public_email
     field :avatar_url, GraphQL::STRING_TYPE, null: true,
           description: "URL of the user's avatar"
     field :web_url, GraphQL::STRING_TYPE, null: false,
diff --git a/changelogs/unreleased/security-290-graphql-exposed-email.yml b/changelogs/unreleased/security-290-graphql-exposed-email.yml
new file mode 100644
index 00000000000..8b07bb1342f
--- /dev/null
+++ b/changelogs/unreleased/security-290-graphql-exposed-email.yml
@@ -0,0 +1,5 @@
+---
+title: 'GraphQL User: do not expose email if set to private'
+merge_request:
+author:
+type: security
diff --git a/spec/requests/api/graphql/user_query_spec.rb b/spec/requests/api/graphql/user_query_spec.rb
index 738e120549e..ef313504388 100644
--- a/spec/requests/api/graphql/user_query_spec.rb
+++ b/spec/requests/api/graphql/user_query_spec.rb
@@ -82,7 +82,7 @@ RSpec.describe 'getting user information' do
             'username' => presenter.username,
             'webUrl' => presenter.web_url,
             'avatarUrl' => presenter.avatar_url,
-            'email' => presenter.email
+            'email' => presenter.public_email
           ))
 
         expect(graphql_data['user']['status']).to match(