Allow authorize on array of objects for GraphQL

And add tests

4 files changed, 64 insertions, 5 deletions

diff --git a/app/graphql/types/project_type.rb b/app/graphql/types/project_type.rb
index daced8af1c2..9d21a7dee67 100644
--- a/app/graphql/types/project_type.rb
+++ b/app/graphql/types/project_type.rb
@@ -70,7 +70,7 @@ module Types
           Types::MergeRequestType.connection_type,
           null: true,
           resolver: Resolvers::MergeRequestsResolver do
-      # authorize :read_merge_request
+      authorize :read_merge_request
     end
 
     field :merge_request,
diff --git a/lib/gitlab/graphql/authorize/instrumentation.rb b/lib/gitlab/graphql/authorize/instrumentation.rb
index d638d2b43ee..d6d3ff300f6 100644
--- a/lib/gitlab/graphql/authorize/instrumentation.rb
+++ b/lib/gitlab/graphql/authorize/instrumentation.rb
@@ -35,10 +35,25 @@ module Gitlab
         private
 
         def build_checker(current_user, abilities)
-          proc do |obj|
+          lambda do |value|
             # Load the elements if they weren't loaded by BatchLoader yet
-            obj = obj.sync if obj.respond_to?(:sync)
-            obj if abilities.all? { |ability| Ability.allowed?(current_user, ability, obj) }
+            value = value.sync if value.respond_to?(:sync)
+
+            check = lambda do |object|
+              abilities.all? do |ability|
+                Ability.allowed?(current_user, ability, object)
+              end
+            end
+
+            checked =
+              case value
+              when Array
+                value.all?(&check)
+              else
+                check.call(value)
+              end
+
+            value if checked
           end
         end
       end
diff --git a/spec/graphql/types/project_type_spec.rb b/spec/graphql/types/project_type_spec.rb
index 811bd53eb4d..e8f1c84f8d6 100644
--- a/spec/graphql/types/project_type_spec.rb
+++ b/spec/graphql/types/project_type_spec.rb
@@ -15,7 +15,8 @@ describe GitlabSchema.types['Project'] do
     end
 
     it 'authorizes the merge requests' do
-      skip
+      expect(described_class.fields['mergeRequests'])
+        .to require_graphql_authorizations(:read_merge_request)
     end
   end
 
diff --git a/spec/lib/gitlab/graphql/authorize/instrumentation_spec.rb b/spec/lib/gitlab/graphql/authorize/instrumentation_spec.rb
new file mode 100644
index 00000000000..69f53fce715
--- /dev/null
+++ b/spec/lib/gitlab/graphql/authorize/instrumentation_spec.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::Graphql::Authorize::Instrumentation do
+  describe '#build_checker' do
+    let(:current_user) { double(:current_user) }
+    let(:abilities) { [double(:first_ability), double(:last_ability)] }
+
+    let(:checker) do
+      described_class.new.__send__(:build_checker, current_user, abilities)
+    end
+
+    it 'returns a checker which checks for a single object' do
+      object = double(:object)
+
+      abilities.each do |ability|
+        spy_ability_check_for(ability, object)
+      end
+
+      expect(checker.call(object)).to eq(object)
+    end
+
+    it 'returns a checker which checks for all objects' do
+      objects = [double(:first), double(:last)]
+
+      abilities.each do |ability|
+        objects.each do |object|
+          spy_ability_check_for(ability, object)
+        end
+      end
+
+      expect(checker.call(objects)).to eq(objects)
+    end
+
+    def spy_ability_check_for(ability, object)
+      expect(Ability)
+        .to receive(:allowed?)
+        .with(current_user, ability, object)
+        .and_return(true)
+    end
+  end
+end