diff options
Diffstat (limited to 'spec/graphql/types/base_field_spec.rb')
-rw-r--r-- | spec/graphql/types/base_field_spec.rb | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/spec/graphql/types/base_field_spec.rb b/spec/graphql/types/base_field_spec.rb index 9d02f061435..439678e7e16 100644 --- a/spec/graphql/types/base_field_spec.rb +++ b/spec/graphql/types/base_field_spec.rb @@ -3,6 +3,92 @@ require 'spec_helper' RSpec.describe Types::BaseField do + describe 'authorized?' do + let(:object) { double } + let(:current_user) { nil } + let(:ctx) { { current_user: current_user } } + + it 'defaults to true' do + field = described_class.new(name: 'test', type: GraphQL::Types::String, null: true) + + expect(field).to be_authorized(object, nil, ctx) + end + + it 'tests the field authorization, if provided' do + field = described_class.new(name: 'test', type: GraphQL::Types::String, null: true, authorize: :foo) + + expect(Ability).to receive(:allowed?).with(current_user, :foo, object).and_return(false) + + expect(field).not_to be_authorized(object, nil, ctx) + end + + it 'tests the field authorization, if provided, when it succeeds' do + field = described_class.new(name: 'test', type: GraphQL::Types::String, null: true, authorize: :foo) + + expect(Ability).to receive(:allowed?).with(current_user, :foo, object).and_return(true) + + expect(field).to be_authorized(object, nil, ctx) + end + + it 'only tests the resolver authorization if it authorizes_object?' do + resolver = Class.new + + field = described_class.new(name: 'test', type: GraphQL::Types::String, null: true, + resolver_class: resolver) + + expect(field).to be_authorized(object, nil, ctx) + end + + it 'tests the resolver authorization, if provided' do + resolver = Class.new do + include Gitlab::Graphql::Authorize::AuthorizeResource + + authorizes_object! + end + + field = described_class.new(name: 'test', type: GraphQL::Types::String, null: true, + resolver_class: resolver) + + expect(resolver).to receive(:authorized?).with(object, ctx).and_return(false) + + expect(field).not_to be_authorized(object, nil, ctx) + end + + it 'tests field authorization before resolver authorization, when field auth fails' do + resolver = Class.new do + include Gitlab::Graphql::Authorize::AuthorizeResource + + authorizes_object! + end + + field = described_class.new(name: 'test', type: GraphQL::Types::String, null: true, + authorize: :foo, + resolver_class: resolver) + + expect(Ability).to receive(:allowed?).with(current_user, :foo, object).and_return(false) + expect(resolver).not_to receive(:authorized?) + + expect(field).not_to be_authorized(object, nil, ctx) + end + + it 'tests field authorization before resolver authorization, when field auth succeeds' do + resolver = Class.new do + include Gitlab::Graphql::Authorize::AuthorizeResource + + authorizes_object! + end + + field = described_class.new(name: 'test', type: GraphQL::Types::String, null: true, + authorize: :foo, + resolver_class: resolver) + + expect(Ability).to receive(:allowed?).with(current_user, :foo, object).and_return(true) + expect(resolver).to receive(:authorized?).with(object, ctx).and_return(false) + + expect(field).not_to be_authorized(object, nil, ctx) + end + end + context 'when considering complexity' do let(:resolver) do Class.new(described_class) do |