From 967cbd083492f72ef59ddc9a98d7f67a7fe85d21 Mon Sep 17 00:00:00 2001
From: Bob Van Landuyt <bob@vanlanduyt.co>
Date: Tue, 18 Jun 2019 18:33:47 +0200
Subject: Enforce authorizations for non-nullable fields

This makes sure we also enforce authorizations for non-nullable
fields.

We are defining our authorizations on the unwrapped
types (Repository). But when a type like that is presented in a
non-nullable field, it's type is different (Repository!). The
non-nullable type would not have the authorization metadata.

This makes sure we check the metadata on the unwrapped type for
finding authorizations.
---
 .../api/graphql/project/repository_spec.rb         | 24 ++++++++++++++++++++++
 1 file changed, 24 insertions(+)

(limited to 'spec/requests/api/graphql/project')

diff --git a/spec/requests/api/graphql/project/repository_spec.rb b/spec/requests/api/graphql/project/repository_spec.rb
index 67af612a4a0..261433a3d6a 100644
--- a/spec/requests/api/graphql/project/repository_spec.rb
+++ b/spec/requests/api/graphql/project/repository_spec.rb
@@ -34,4 +34,28 @@ describe 'getting a repository in a project' do
       expect(graphql_data['project']).to be(nil)
     end
   end
+
+  context 'when the repository is only accessible to members' do
+    let(:project) do
+      create(:project, :public, :repository, repository_access_level: ProjectFeature::PRIVATE)
+    end
+
+    it 'returns a repository for the owner' do
+      post_graphql(query, current_user: current_user)
+
+      expect(graphql_data['project']['repository']).not_to be_nil
+    end
+
+    it 'returns nil for the repository for other users' do
+      post_graphql(query, current_user: create(:user))
+
+      expect(graphql_data['project']['repository']).to be_nil
+    end
+
+    it 'returns nil for the repository for other users' do
+      post_graphql(query, current_user: nil)
+
+      expect(graphql_data['project']['repository']).to be_nil
+    end
+  end
 end
-- 
cgit v1.2.1