When you use the REST API or UI to view an issue’s discussion/notes, private system note is hidden to member’s only.
Such as moving an issue to a private project, making issue as duplicate of a confidential issue, someone mentioned this issue in a confidential issue.
They are properly hidden in REST and UI, but you can still see them in graphql
query {
project(fullPath:"username16/ci-test"){
issue(iid:"1"){
descriptionHtml
notes{
edges{
node{
bodyHtml
system
author{
username
}
body
}
}
}
}}
}
Disclosure of all system note of an issue/MR/designs that should be private
Disclosure of all system note of an issue/MR/designs that should be private