diff options
Diffstat (limited to 'app/graphql/subscriptions')
| -rw-r--r-- | app/graphql/subscriptions/base_subscription.rb | 31 | ||||
| -rw-r--r-- | app/graphql/subscriptions/issuable_updated.rb | 29 |
2 files changed, 60 insertions, 0 deletions
diff --git a/app/graphql/subscriptions/base_subscription.rb b/app/graphql/subscriptions/base_subscription.rb new file mode 100644 index 00000000000..5f7931787df --- /dev/null +++ b/app/graphql/subscriptions/base_subscription.rb @@ -0,0 +1,31 @@ +# frozen_string_literal: true + +module Subscriptions + class BaseSubscription < GraphQL::Schema::Subscription + object_class Types::BaseObject + field_class Types::BaseField + + def initialize(object:, context:, field:) + super + + # Reset user so that we don't use a stale user for authorization + current_user.reset if current_user + end + + def authorized?(*) + raise NotImplementedError + end + + private + + def unauthorized! + unsubscribe if context.query.subscription_update? + + raise GraphQL::ExecutionError, 'Unauthorized subscription' + end + + def current_user + context[:current_user] + end + end +end diff --git a/app/graphql/subscriptions/issuable_updated.rb b/app/graphql/subscriptions/issuable_updated.rb new file mode 100644 index 00000000000..c1d82bfcf9c --- /dev/null +++ b/app/graphql/subscriptions/issuable_updated.rb @@ -0,0 +1,29 @@ +# frozen_string_literal: true + +module Subscriptions + class IssuableUpdated < BaseSubscription + include Gitlab::Graphql::Laziness + + payload_type Types::IssuableType + + argument :issuable_id, Types::GlobalIDType[Issuable], + required: true, + description: 'ID of the issuable.' + + def subscribe(issuable_id:) + nil + end + + def authorized?(issuable_id:) + # TODO: remove this check when the compatibility layer is removed + # See: https://gitlab.com/gitlab-org/gitlab/-/issues/257883 + raise Gitlab::Graphql::Errors::ArgumentError, 'Invalid IssuableID' unless issuable_id.is_a?(GlobalID) + + issuable = force(GitlabSchema.find_by_gid(issuable_id)) + + unauthorized! unless issuable && Ability.allowed?(current_user, :"read_#{issuable.to_ability_name}", issuable) + + true + end + end +end |