Skip to content

Don't display the `is_admin?` flag for user API responses

username-removed-407765 requested to merge 29903-remove-user-is-admin-flag-from-api into master

What does this MR do?

  • Don't display the is_admin flag in most API responses
  • Only display the flag in places where we display the private_token

Are there points in the code the reviewer needs to double check?

Nothing I can think of

Why was this MR needed?

To prevent an attacker enumerating all user accounts and figuring out which users are admins.

What are the relevant issue numbers?

Closes #29903

Tasks

  • Implementation
  • Tests
    • Added
    • Passing
  • Meta
    • CHANGELOG entry created
    • API support added
    • Branch has no merge conflicts with master
    • Squashed related commits together
    • Added screenshots
    • Check for clean merge with EE
    • Documentation added/updated
  • Review
    • Reviewer
    • Maintainer
  • Wait for merge

Merge request reports