Do not blindly expose public project statistics

Add the missing check on GraphQL API for project statistics
author: Mayra Cabrera <mcabrera@gitlab.com> 2019-06-14 23:40:21 +0300
committer: Stan Hu <stanhu@gmail.com> 2019-06-14 23:40:21 +0300
commit: d7f10c2949cef3fb6c15d4972cf8e8186d6d84a0 (patch)
tree: cc17c353be14a903723f55a715f70128e31439e8 /app/graphql/types
parent: ad722a4e1f588382f5c5c1848c0502864993c7e7 (diff)
2 files changed, 3 insertions, 1 deletions
diff --git a/app/graphql/types/project_statistics_type.rb b/app/graphql/types/project_statistics_type.rb
index 62537361918..4000c6db280 100644
--- a/app/graphql/types/project_statistics_type.rb
+++ b/app/graphql/types/project_statistics_type.rb
@@ -4,6 +4,8 @@ module Types
   class ProjectStatisticsType < BaseObject
     graphql_name 'ProjectStatistics'
 
+    authorize :read_statistics
+
     field :commit_count, GraphQL::INT_TYPE, null: false
 
     field :storage_size, GraphQL::INT_TYPE, null: false
diff --git a/app/graphql/types/project_type.rb b/app/graphql/types/project_type.rb
index 2236ffa394d..81914b70c7f 100644
--- a/app/graphql/types/project_type.rb
+++ b/app/graphql/types/project_type.rb
@@ -70,7 +70,7 @@ module Types
     field :group, Types::GroupType, null: true
 
     field :statistics, Types::ProjectStatisticsType,
-          null: false,
+          null: true,
           resolve: -> (obj, _args, _ctx) { Gitlab::Graphql::Loaders::BatchProjectStatisticsLoader.new(obj.id).find }
 
     field :repository, Types::RepositoryType, null: false
author	Mayra Cabrera <mcabrera@gitlab.com>	2019-06-14 23:40:21 +0300
committer	Stan Hu <stanhu@gmail.com>	2019-06-14 23:40:21 +0300
commit	d7f10c2949cef3fb6c15d4972cf8e8186d6d84a0 (patch)
tree	cc17c353be14a903723f55a715f70128e31439e8 /app/graphql/types
parent	ad722a4e1f588382f5c5c1848c0502864993c7e7 (diff)