From bc299f54e841488b4ab37777761db1dfc7f3b60e Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Tue, 27 Apr 2021 08:57:43 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@13-11-stable-ee --- app/graphql/mutations/base_mutation.rb | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'app/graphql') diff --git a/app/graphql/mutations/base_mutation.rb b/app/graphql/mutations/base_mutation.rb index 1f18a37fcb9..da658e1f108 100644 --- a/app/graphql/mutations/base_mutation.rb +++ b/app/graphql/mutations/base_mutation.rb @@ -44,9 +44,18 @@ module Mutations end end + def self.authorizes_object? + true + end + def self.authorized?(object, context) - # we never provide an object to mutations, but we do need to have a user. - context[:current_user].present? && !context[:current_user].blocked? + auth = ::Gitlab::Graphql::Authorize::ObjectAuthorization.new(:execute_graphql_mutation, :api) + + return true if auth.ok?(:global, context[:current_user], + scope_validator: context[:scope_validator]) + + # in our mutations we raise, rather than returning a null value. + raise_resource_not_available_error! end # See: AuthorizeResource#authorized_resource? -- cgit v1.2.1