Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-04-28 15:09:35 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-04-28 15:09:35 +0000
commit: 42d13aebd3c47671337d871e8b349385dade5252 (patch)
tree: c15b971738677229f079feab81821611f92ad6c9 /app/graphql/mutations/base_mutation.rb
parent: 0805030d634b48c8a44308330fe0d99ba8434f46 (diff)
download: gitlab-ce-42d13aebd3c47671337d871e8b349385dade5252.tar.gz
1 files changed, 11 insertions, 2 deletions
diff --git a/app/graphql/mutations/base_mutation.rb b/app/graphql/mutations/base_mutation.rb
index 1f18a37fcb9..da658e1f108 100644
--- a/app/graphql/mutations/base_mutation.rb
+++ b/app/graphql/mutations/base_mutation.rb
@@ -44,9 +44,18 @@ module Mutations
       end
     end
 
+    def self.authorizes_object?
+      true
+    end
+
     def self.authorized?(object, context)
-      # we never provide an object to mutations, but we do need to have a user.
-      context[:current_user].present? && !context[:current_user].blocked?
+      auth = ::Gitlab::Graphql::Authorize::ObjectAuthorization.new(:execute_graphql_mutation, :api)
+
+      return true if auth.ok?(:global, context[:current_user],
+                              scope_validator: context[:scope_validator])
+
+      # in our mutations we raise, rather than returning a null value.
+      raise_resource_not_available_error!
     end
 
     # See: AuthorizeResource#authorized_resource?
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-04-28 15:09:35 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-04-28 15:09:35 +0000
commit	42d13aebd3c47671337d871e8b349385dade5252 (patch)
tree	c15b971738677229f079feab81821611f92ad6c9 /app/graphql/mutations/base_mutation.rb
parent	0805030d634b48c8a44308330fe0d99ba8434f46 (diff)
download	gitlab-ce-42d13aebd3c47671337d871e8b349385dade5252.tar.gz