diff options
| author | Lin Jen-Shin <godfat@godfat.org> | 2019-02-12 23:30:23 +0800 |
|---|---|---|
| committer | Lin Jen-Shin <godfat@godfat.org> | 2019-02-14 15:52:17 +0800 |
| commit | 564b86a3145cd5f7eae8071ef244dc684bcd5031 (patch) | |
| tree | 15c4a5db6bf9f9ed8018b4c6f989a8095616c1eb | |
| parent | 7be1f0842f281305f2c36e2b6066842d8e87875c (diff) | |
| download | gitlab-ce-564b86a3145cd5f7eae8071ef244dc684bcd5031.tar.gz | |
Allow authorize on array of objects for GraphQL
And add tests
| -rw-r--r-- | app/graphql/types/project_type.rb | 2 | ||||
| -rw-r--r-- | lib/gitlab/graphql/authorize/instrumentation.rb | 21 | ||||
| -rw-r--r-- | spec/graphql/types/project_type_spec.rb | 3 | ||||
| -rw-r--r-- | spec/lib/gitlab/graphql/authorize/instrumentation_spec.rb | 43 |
4 files changed, 64 insertions, 5 deletions
diff --git a/app/graphql/types/project_type.rb b/app/graphql/types/project_type.rb index daced8af1c2..9d21a7dee67 100644 --- a/app/graphql/types/project_type.rb +++ b/app/graphql/types/project_type.rb @@ -70,7 +70,7 @@ module Types Types::MergeRequestType.connection_type, null: true, resolver: Resolvers::MergeRequestsResolver do - # authorize :read_merge_request + authorize :read_merge_request end field :merge_request, diff --git a/lib/gitlab/graphql/authorize/instrumentation.rb b/lib/gitlab/graphql/authorize/instrumentation.rb index d638d2b43ee..d6d3ff300f6 100644 --- a/lib/gitlab/graphql/authorize/instrumentation.rb +++ b/lib/gitlab/graphql/authorize/instrumentation.rb @@ -35,10 +35,25 @@ module Gitlab private def build_checker(current_user, abilities) - proc do |obj| + lambda do |value| # Load the elements if they weren't loaded by BatchLoader yet - obj = obj.sync if obj.respond_to?(:sync) - obj if abilities.all? { |ability| Ability.allowed?(current_user, ability, obj) } + value = value.sync if value.respond_to?(:sync) + + check = lambda do |object| + abilities.all? do |ability| + Ability.allowed?(current_user, ability, object) + end + end + + checked = + case value + when Array + value.all?(&check) + else + check.call(value) + end + + value if checked end end end diff --git a/spec/graphql/types/project_type_spec.rb b/spec/graphql/types/project_type_spec.rb index 811bd53eb4d..e8f1c84f8d6 100644 --- a/spec/graphql/types/project_type_spec.rb +++ b/spec/graphql/types/project_type_spec.rb @@ -15,7 +15,8 @@ describe GitlabSchema.types['Project'] do end it 'authorizes the merge requests' do - skip + expect(described_class.fields['mergeRequests']) + .to require_graphql_authorizations(:read_merge_request) end end diff --git a/spec/lib/gitlab/graphql/authorize/instrumentation_spec.rb b/spec/lib/gitlab/graphql/authorize/instrumentation_spec.rb new file mode 100644 index 00000000000..69f53fce715 --- /dev/null +++ b/spec/lib/gitlab/graphql/authorize/instrumentation_spec.rb @@ -0,0 +1,43 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Gitlab::Graphql::Authorize::Instrumentation do + describe '#build_checker' do + let(:current_user) { double(:current_user) } + let(:abilities) { [double(:first_ability), double(:last_ability)] } + + let(:checker) do + described_class.new.__send__(:build_checker, current_user, abilities) + end + + it 'returns a checker which checks for a single object' do + object = double(:object) + + abilities.each do |ability| + spy_ability_check_for(ability, object) + end + + expect(checker.call(object)).to eq(object) + end + + it 'returns a checker which checks for all objects' do + objects = [double(:first), double(:last)] + + abilities.each do |ability| + objects.each do |object| + spy_ability_check_for(ability, object) + end + end + + expect(checker.call(objects)).to eq(objects) + end + + def spy_ability_check_for(ability, object) + expect(Ability) + .to receive(:allowed?) + .with(current_user, ability, object) + .and_return(true) + end + end +end |