Sanity check for GraphQL authorized?

Raise an exception if a developer calls any of the GraphQL authorization
methods and a `authorize :permission` is missing from a mutation class.

Previously `authorized?` would return `true` in this situation, which
although technically is accurate is not what a developer is intending.

1 files changed, 6 insertions, 0 deletions

diff --git a/lib/gitlab/graphql/authorize/authorize_resource.rb b/lib/gitlab/graphql/authorize/authorize_resource.rb
index b367a97105c..c619464f69f 100644
--- a/lib/gitlab/graphql/authorize/authorize_resource.rb
+++ b/lib/gitlab/graphql/authorize/authorize_resource.rb
@@ -48,6 +48,12 @@ module Gitlab
         end
 
         def authorized?(object)
+          # Sanity check. We don't want to accidentally allow a developer to authorize
+          # without first adding permissions to authorize against
+          if self.class.required_permissions.empty?
+            raise Gitlab::Graphql::Errors::ArgumentError, "#{self.class.name} has no authorizations"
+          end
+
           self.class.required_permissions.all? do |ability|
             # The actions could be performed across multiple objects. In which
             # case the current user is common, and we could benefit from the