diff options
| author | Felipe Artur <fcardozo@gitlab.com> | 2019-03-27 14:59:02 +0000 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2019-03-27 14:59:02 +0000 |
| commit | 73b553a42a1dec7bd38e0aeeb5514c2a566a98c9 (patch) | |
| tree | a763b5e4a28ba39c0bff6abd9804063f8d1f2cf9 /spec/controllers/graphql_controller_spec.rb | |
| parent | b78aa81f323d16b71af40e2f6fc201d7e7a9a855 (diff) | |
| download | gitlab-ce-73b553a42a1dec7bd38e0aeeb5514c2a566a98c9.tar.gz | |
Add API access check to Graphql
Check if user can access API on GraphqlController
Diffstat (limited to 'spec/controllers/graphql_controller_spec.rb')
| -rw-r--r-- | spec/controllers/graphql_controller_spec.rb | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/spec/controllers/graphql_controller_spec.rb b/spec/controllers/graphql_controller_spec.rb new file mode 100644 index 00000000000..c19a752b07b --- /dev/null +++ b/spec/controllers/graphql_controller_spec.rb @@ -0,0 +1,45 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe GraphqlController do + before do + stub_feature_flags(graphql: true) + end + + describe 'POST #execute' do + context 'when user is logged in' do + let(:user) { create(:user) } + + before do + sign_in(user) + end + + it 'returns 200 when user can access API' do + post :execute + + expect(response).to have_gitlab_http_status(200) + end + + it 'returns access denied template when user cannot access API' do + # User cannot access API in a couple of cases + # * When user is internal(like ghost users) + # * When user is blocked + expect(Ability).to receive(:allowed?).with(user, :access_api, :global).and_return(false) + + post :execute + + expect(response.status).to eq(403) + expect(response).to render_template('errors/access_denied') + end + end + + context 'when user is not logged in' do + it 'returns 200' do + post :execute + + expect(response).to have_gitlab_http_status(200) + end + end + end +end |