diff options
| author | Brett Walker <bwalker@gitlab.com> | 2019-04-22 18:57:45 -0500 |
|---|---|---|
| committer | Brett Walker <bwalker@gitlab.com> | 2019-04-22 18:57:45 -0500 |
| commit | eff42d59bd1e0abdab673f5fca73112826af49cd (patch) | |
| tree | 06ef07fc8f8b9e07a6cbfd1cf60433c2651de491 | |
| parent | 46bdbc5d776a0438366426e0ef48911123311744 (diff) | |
| download | gitlab-ce-60800-properly-authorize-our-own-graphql-scalar-types.tar.gz | |
Check for all scalar types60800-properly-authorize-our-own-graphql-scalar-types
| -rw-r--r-- | lib/gitlab/graphql/authorize/authorize_field_service.rb | 6 | ||||
| -rw-r--r-- | spec/lib/gitlab/graphql/authorize/authorize_field_service_spec.rb | 16 |
2 files changed, 18 insertions, 4 deletions
diff --git a/lib/gitlab/graphql/authorize/authorize_field_service.rb b/lib/gitlab/graphql/authorize/authorize_field_service.rb index 03d6aabb0e3..619ce100421 100644 --- a/lib/gitlab/graphql/authorize/authorize_field_service.rb +++ b/lib/gitlab/graphql/authorize/authorize_field_service.rb @@ -48,7 +48,7 @@ module Gitlab end def authorize_against(parent_typed_object, resolved_type) - if built_in_type? + if scalar_type? # The field is a built-in/scalar type, or a list of scalars # authorize using the parent's object parent_typed_object.object @@ -108,8 +108,8 @@ module Gitlab type.unwrap end - def built_in_type? - GraphQL::Schema::BUILT_IN_TYPES.has_value?(node_type_for_basic_connection(@field.type)) + def scalar_type? + node_type_for_basic_connection(@field.type).kind.scalar? end end end diff --git a/spec/lib/gitlab/graphql/authorize/authorize_field_service_spec.rb b/spec/lib/gitlab/graphql/authorize/authorize_field_service_spec.rb index 95a4eb296fb..aec9c4baf0a 100644 --- a/spec/lib/gitlab/graphql/authorize/authorize_field_service_spec.rb +++ b/spec/lib/gitlab/graphql/authorize/authorize_field_service_spec.rb @@ -45,7 +45,7 @@ describe Gitlab::Graphql::Authorize::AuthorizeFieldService do end end - context "when the field is a scalar type" do + context "when the field is a built-in scalar type" do let(:field) { type_with_field(GraphQL::STRING_TYPE, :read_field).fields["testField"].to_graphql } let(:expected_permissions) { [:read_field] } @@ -58,6 +58,20 @@ describe Gitlab::Graphql::Authorize::AuthorizeFieldService do it_behaves_like "checking permissions on the presented object" end + + context "when the field is sub-classed scalar type" do + let(:field) { type_with_field(Types::TimeType, :read_field).fields["testField"].to_graphql } + let(:expected_permissions) { [:read_field] } + + it_behaves_like "checking permissions on the presented object" + end + + context "when the field is a list of sub-classed scalar types" do + let(:field) { type_with_field([Types::TimeType], :read_field).fields["testField"].to_graphql } + let(:expected_permissions) { [:read_field] } + + it_behaves_like "checking permissions on the presented object" + end end context "when the field is a specific type" do |