From eca8e6f09b1800b58904582b527103b5c755e898 Mon Sep 17 00:00:00 2001
From: Bob Van Landuyt <bob@vanlanduyt.co>
Date: Thu, 11 Apr 2019 11:07:06 +0200
Subject: Only check abilities on rendered GraphQL nodes

With this we only check abilities on the rendered edges of a GraphQL
connection instead of all the nodes in it.
---
 spec/requests/api/graphql/project/issues_spec.rb | 28 ++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

(limited to 'spec/requests/api/graphql/project/issues_spec.rb')

diff --git a/spec/requests/api/graphql/project/issues_spec.rb b/spec/requests/api/graphql/project/issues_spec.rb
index c2934430821..4f9f916f22e 100644
--- a/spec/requests/api/graphql/project/issues_spec.rb
+++ b/spec/requests/api/graphql/project/issues_spec.rb
@@ -7,8 +7,8 @@ describe 'getting an issue list for a project' do
   let(:current_user) { create(:user) }
   let(:issues_data) { graphql_data['project']['issues']['edges'] }
   let!(:issues) do
-    create(:issue, project: project, discussion_locked: true)
-    create(:issue, project: project)
+    [create(:issue, project: project, discussion_locked: true),
+     create(:issue, project: project)]
   end
   let(:fields) do
     <<~QUERY
@@ -47,6 +47,30 @@ describe 'getting an issue list for a project' do
     expect(issues_data[1]['node']['discussionLocked']).to eq true
   end
 
+  context 'when limiting the number of results' do
+    let(:query) do
+      graphql_query_for(
+        'project',
+        { 'fullPath' => project.full_path },
+        "issues(first: 1) { #{fields} }"
+      )
+    end
+
+    it_behaves_like 'a working graphql query' do
+      before do
+        post_graphql(query, current_user: current_user)
+      end
+    end
+
+    it "is expected to check permissions on the first issue only" do
+      allow(Ability).to receive(:allowed?).and_call_original
+      # Newest first, we only want to see the newest checked
+      expect(Ability).not_to receive(:allowed?).with(current_user, :read_issue, issues.first)
+
+      post_graphql(query, current_user: current_user)
+    end
+  end
+
   context 'when the user does not have access to the issue' do
     it 'returns nil' do
       project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
-- 
cgit v1.2.1