diff options
author | Luke Duncalfe <lduncalfe@eml.cc> | 2019-06-21 17:09:02 +1200 |
---|---|---|
committer | Luke Duncalfe <lduncalfe@eml.cc> | 2019-06-26 10:12:35 +1200 |
commit | b2a615c3c60dd3315ecf33d5fdb61061c9d4003e (patch) | |
tree | 847a8806465ff076159c9b1018f204cd9371cf63 /lib/gitlab/graphql/authorize/authorize_resource.rb | |
parent | 87b468c254e3e1e3b6b1d86e003f1f90a39935a2 (diff) | |
download | gitlab-ce-b2a615c3c60dd3315ecf33d5fdb61061c9d4003e.tar.gz |
Sanity check for GraphQL authorized?
Raise an exception if a developer calls any of the GraphQL authorization
methods and a `authorize :permission` is missing from a mutation class.
Previously `authorized?` would return `true` in this situation, which
although technically is accurate is not what a developer is intending.
Diffstat (limited to 'lib/gitlab/graphql/authorize/authorize_resource.rb')
-rw-r--r-- | lib/gitlab/graphql/authorize/authorize_resource.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/gitlab/graphql/authorize/authorize_resource.rb b/lib/gitlab/graphql/authorize/authorize_resource.rb index b367a97105c..c619464f69f 100644 --- a/lib/gitlab/graphql/authorize/authorize_resource.rb +++ b/lib/gitlab/graphql/authorize/authorize_resource.rb @@ -48,6 +48,12 @@ module Gitlab end def authorized?(object) + # Sanity check. We don't want to accidentally allow a developer to authorize + # without first adding permissions to authorize against + if self.class.required_permissions.empty? + raise Gitlab::Graphql::Errors::ArgumentError, "#{self.class.name} has no authorizations" + end + self.class.required_permissions.all? do |ability| # The actions could be performed across multiple objects. In which # case the current user is common, and we could benefit from the |