summaryrefslogtreecommitdiff
path: root/lib/gitlab/graphql/authorize/object_authorization.rb
diff options
context:
space:
mode:
Diffstat (limited to 'lib/gitlab/graphql/authorize/object_authorization.rb')
-rw-r--r--lib/gitlab/graphql/authorize/object_authorization.rb19
1 files changed, 16 insertions, 3 deletions
diff --git a/lib/gitlab/graphql/authorize/object_authorization.rb b/lib/gitlab/graphql/authorize/object_authorization.rb
index 0bc87108871..f13acc9ea27 100644
--- a/lib/gitlab/graphql/authorize/object_authorization.rb
+++ b/lib/gitlab/graphql/authorize/object_authorization.rb
@@ -4,10 +4,11 @@ module Gitlab
module Graphql
module Authorize
class ObjectAuthorization
- attr_reader :abilities
+ attr_reader :abilities, :permitted_scopes
- def initialize(abilities)
+ def initialize(abilities, scopes = %i[api read_api])
@abilities = Array.wrap(abilities).flatten
+ @permitted_scopes = Array.wrap(scopes)
end
def none?
@@ -18,7 +19,13 @@ module Gitlab
abilities.present?
end
- def ok?(object, current_user)
+ def ok?(object, current_user, scope_validator: nil)
+ scopes_ok?(scope_validator) && abilities_ok?(object, current_user)
+ end
+
+ private
+
+ def abilities_ok?(object, current_user)
return true if none?
subject = object.try(:declarative_policy_subject) || object
@@ -26,6 +33,12 @@ module Gitlab
Ability.allowed?(current_user, ability, subject)
end
end
+
+ def scopes_ok?(validator)
+ return true unless validator.present?
+
+ validator.valid_for?(permitted_scopes)
+ end
end
end
end
View Lorry Controller Status