diff options
author | Brett Walker <bwalker@gitlab.com> | 2019-03-20 18:39:18 -0500 |
---|---|---|
committer | Brett Walker <bwalker@gitlab.com> | 2019-04-04 09:03:21 -0500 |
commit | 6643b92b8807e2d59f36d676303b89ea01824f22 (patch) | |
tree | d03308ddb6bd51362325cd3384deaa4cfa08a9ef /spec/graphql | |
parent | 702f18261a2ac0b45e2b002055950816ad34e92c (diff) | |
download | gitlab-ce-6643b92b8807e2d59f36d676303b89ea01824f22.tar.gz |
Use parent object when authorizing scalar types
Diffstat (limited to 'spec/graphql')
-rw-r--r-- | spec/graphql/features/authorization_spec.rb | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/spec/graphql/features/authorization_spec.rb b/spec/graphql/features/authorization_spec.rb index f863c4444b8..00e31568a9e 100644 --- a/spec/graphql/features/authorization_spec.rb +++ b/spec/graphql/features/authorization_spec.rb @@ -75,6 +75,59 @@ describe 'Gitlab::Graphql::Authorization' do end end + describe 'Field authorizations when field is a built in type' do + let(:query_type) do + query_factory do |query| + query.field :object, type, null: true, resolve: ->(obj, args, ctx) { test_object } + end + end + + describe 'with a single permission' do + let(:type) do + type_factory do |type| + type.field :name, GraphQL::STRING_TYPE, null: true, authorize: permission_single + end + end + + it 'returns the protected field when user has permission' do + permit(permission_single) + + expect(subject).to eq('name' => test_object.name) + end + + it 'returns nil when user is not authorized' do + expect(subject).to eq('name' => nil) + end + end + + describe 'with a collection of permissions' do + let(:type) do + permissions = permission_collection + type_factory do |type| + type.field :name, GraphQL::STRING_TYPE, null: true do + authorize permissions + end + end + end + + it 'returns the protected field when user has all permissions' do + permit(*permission_collection) + + expect(subject).to eq('name' => test_object.name) + end + + it 'returns nil when user only has one of the permissions' do + permit(permission_collection.first) + + expect(subject).to eq('name' => nil) + end + + it 'returns nil when user only has none of the permissions' do + expect(subject).to eq('name' => nil) + end + end + end + describe 'Type authorizations' do let(:query_type) do query_factory do |query| |