At commit time
When TULEAP-XXX is present in a commit message, a Merge Request (MR) title or description or in a tag:
- and XXX is an artifact part of the Tuleap project the GitLab repository is integrated with
- and XXX has a title semantic
- and the title field is readable by "all_users" (regardless of the permission of the project)
Then, the Tuleap Bot comment with message:
This X references: [TULEAP-XXX title](https://...).
When artifact XXX title is updated and the permission of the field are still READ to
all_users, Tuleap Bot will push the new title:
Referenced Tuleap artifact TULEAP-XXX was renamed to [TULEAP-XXX new title](https://...).
Protections again possible exfiltration of data by malicious GitLab user. That is to say that someone using the GitLab instance to craft commits or MR to enumerate Tuleap artifacts "TULEAP-1, TULEAP-2, ...." to get access to data that might be confidential on the Tuleap instance.
To prevent this exfiltration of data:
- When a GitLab repository is linked to a Tuleap, reference (TULEAP-XXX) can only be made to artifacts within the project (artifact 1234 must be part of the Tuleap project).
- If it's not, the Tuleap Bot will comment on the MR with "TULEAP-XXX not found in project YYYY"
- For the title to be included in the message, the data must already be public:
- The platform must be open to anonymous
- The Tuleap project the referenced artifact belongs to must be public
- The tracker the artifact belongs to must be accessible to "all_users"
- the Read permission of the Title field must be set to "all_users", otherwise it's only the bare link.