add adminStatusVisible application setting

Knerio · Knerio · commit 191be80df864 · 2025-11-29T20:30:22.000+01:00
diff --git a/app/graphql/mutations/application_settings/update.rb b/app/graphql/mutations/application_settings/update.rb
@@ -8,6 +8,9 @@ class Update < BaseMutation
       field :application_settings, Types::ApplicationSettingsType, null: true,
                                                                    description: 'The updated application settings.'
 
+      argument :admin_status_visible, Boolean,
+               required: false,
+               description: 'Set if admin status can be queried by non-administrators.'
       argument :organization_creation_restricted, Boolean,
                required: false,
                description: 'Set if organization creation is restricted to administrators.'
diff --git a/app/graphql/types/application_settings_type.rb b/app/graphql/types/application_settings_type.rb
@@ -12,5 +12,9 @@ class ApplicationSettingsType < Types::BaseObject
     field :organization_creation_restricted, Boolean,
           null: false,
           description: 'Shows if organization creation is restricted to administrators'
+
+    field :admin_status_visible, Boolean,
+          null: false,
+          description: 'Shows if admin status can be queried by non-administrators'
   end
 end
diff --git a/app/graphql/types/user_type.rb b/app/graphql/types/user_type.rb
@@ -8,7 +8,10 @@ class UserType < Types::BaseObject
 
     field :avatar_path, String, null: true, description: 'The avatar if present of the user'
 
-    field :admin, Boolean, null: false, description: 'Global admin status of the user'
+    field :admin, Boolean,
+          null: false,
+          description: 'Global admin status of the user',
+          authorize: :read_admin_status
     field :email, String, null: true, description: 'Email of the user', authorize: :read_email
     field :email_verified_at, Types::TimeType,
           null: true,
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
@@ -11,9 +11,10 @@ class ApplicationSetting < ApplicationRecord
     user_registration_enabled: 1,
     organization_creation_restricted: 2,
     identity_providers: 3,
+    admin_status_visible: 4,
   }.with_indifferent_access
 
-  BOOLEAN_OPTIONS = %i[user_registration_enabled organization_creation_restricted].freeze
+  BOOLEAN_OPTIONS = %i[user_registration_enabled organization_creation_restricted admin_status_visible].freeze
 
   enum :setting, SETTINGS
 
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
@@ -3,6 +3,7 @@
 class UserPolicy < BasePolicy
   condition(:user_is_self) { subject.id == user&.id }
   condition(:user_is_admin) { user&.admin? || false }
+  condition(:admin_status_visible) { ApplicationSetting.current[:admin_status_visible] }
 
   rule { ~anonymous }.enable :read_user
 
@@ -12,8 +13,11 @@ class UserPolicy < BasePolicy
     enable :update_attachment_avatar
     enable :read_email
     enable :delete_user
+    enable :read_admin_status
   end
 
+  rule { admin_status_visible & ~anonymous }.enable :read_admin_status
+
   rule { user_is_self }.policy do
     enable :read_user_identity
     enable :manage_mfa
diff --git a/db/fixtures/01_application_settings.rb b/db/fixtures/01_application_settings.rb
@@ -14,3 +14,8 @@
   s.setting = :identity_providers
   s.value = []
 end
+
+ApplicationSetting.seed_once :setting do |s|
+  s.setting = :admin_status_visible
+  s.value = true
+end
diff --git a/docs/graphql/mutation/applicationsettingsupdate.md b/docs/graphql/mutation/applicationsettingsupdate.md
@@ -8,6 +8,7 @@ Update application settings.
 
 | Name | Type | Description |
 |------|------|-------------|
+| `adminStatusVisible` | [`Boolean`](../scalar/boolean.md) | Set if admin status can be queried by non-administrators. |
 | `clientMutationId` | [`String`](../scalar/string.md) | A unique identifier for the client performing the mutation. |
 | `organizationCreationRestricted` | [`Boolean`](../scalar/boolean.md) | Set if organization creation is restricted to administrators. |
 | `userRegistrationEnabled` | [`Boolean`](../scalar/boolean.md) | Set if user registration is enabled. |
diff --git a/docs/graphql/object/applicationsettings.md b/docs/graphql/object/applicationsettings.md
@@ -8,6 +8,7 @@ Represents the application settings
 
 | Name | Type | Description |
 |------|------|-------------|
+| `adminStatusVisible` | [`Boolean!`](../scalar/boolean.md) | Shows if admin status can be queried by non-administrators |
 | `organizationCreationRestricted` | [`Boolean!`](../scalar/boolean.md) | Shows if organization creation is restricted to administrators |
 | `userRegistrationEnabled` | [`Boolean!`](../scalar/boolean.md) | Shows if user registration is enabled |
 
diff --git a/spec/graphql/types/application_settings_type_spec.rb b/spec/graphql/types/application_settings_type_spec.rb
@@ -7,6 +7,7 @@
     %w[
       userRegistrationEnabled
       organizationCreationRestricted
+      adminStatusVisible
     ]
   end
 

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@`
`7`	`7`	`%w[`
`8`	`8`	`userRegistrationEnabled`
`9`	`9`	`organizationCreationRestricted`
	`10`	`+ adminStatusVisible`
`10`	`11`	`]`
`11`	`12`	`end`
`12`	`13`