diff options
-rw-r--r-- | app/controllers/graphql_controller.rb | 5 | ||||
-rw-r--r-- | changelogs/unreleased/issue_58547.yml | 5 | ||||
-rw-r--r-- | spec/controllers/graphql_controller_spec.rb | 45 |
3 files changed, 55 insertions, 0 deletions
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb index e147d32be2e..7b5dc22815c 100644 --- a/app/controllers/graphql_controller.rb +++ b/app/controllers/graphql_controller.rb @@ -12,6 +12,7 @@ class GraphqlController < ApplicationController protect_from_forgery with: :null_session, only: :execute before_action :check_graphql_feature_flag! + before_action :authorize_access_api! before_action(only: [:execute]) { authenticate_sessionless_user!(:api) } def execute @@ -37,6 +38,10 @@ class GraphqlController < ApplicationController private + def authorize_access_api! + access_denied!("API not accessible for user.") unless can?(current_user, :access_api) + end + # Overridden from the ApplicationController to make the response look like # a GraphQL response. That is nicely picked up in Graphiql. def render_404 diff --git a/changelogs/unreleased/issue_58547.yml b/changelogs/unreleased/issue_58547.yml new file mode 100644 index 00000000000..553c752e72d --- /dev/null +++ b/changelogs/unreleased/issue_58547.yml @@ -0,0 +1,5 @@ +--- +title: Add API access check to Graphql +merge_request: 26570 +author: +type: other diff --git a/spec/controllers/graphql_controller_spec.rb b/spec/controllers/graphql_controller_spec.rb new file mode 100644 index 00000000000..c19a752b07b --- /dev/null +++ b/spec/controllers/graphql_controller_spec.rb @@ -0,0 +1,45 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe GraphqlController do + before do + stub_feature_flags(graphql: true) + end + + describe 'POST #execute' do + context 'when user is logged in' do + let(:user) { create(:user) } + + before do + sign_in(user) + end + + it 'returns 200 when user can access API' do + post :execute + + expect(response).to have_gitlab_http_status(200) + end + + it 'returns access denied template when user cannot access API' do + # User cannot access API in a couple of cases + # * When user is internal(like ghost users) + # * When user is blocked + expect(Ability).to receive(:allowed?).with(user, :access_api, :global).and_return(false) + + post :execute + + expect(response.status).to eq(403) + expect(response).to render_template('errors/access_denied') + end + end + + context 'when user is not logged in' do + it 'returns 200' do + post :execute + + expect(response).to have_gitlab_http_status(200) + end + end + end +end |