Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
73b553a4
Commit
73b553a4
authored
Mar 27, 2019
by
Felipe Artur
Committed by
Nick Thomas
Mar 27, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add API access check to Graphql
Check if user can access API on GraphqlController
parent
b78aa81f
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
55 additions
and
0 deletions
+55
-0
app/controllers/graphql_controller.rb
app/controllers/graphql_controller.rb
+5
-0
changelogs/unreleased/issue_58547.yml
changelogs/unreleased/issue_58547.yml
+5
-0
spec/controllers/graphql_controller_spec.rb
spec/controllers/graphql_controller_spec.rb
+45
-0
No files found.
app/controllers/graphql_controller.rb
View file @
73b553a4
...
@@ -12,6 +12,7 @@ class GraphqlController < ApplicationController
...
@@ -12,6 +12,7 @@ class GraphqlController < ApplicationController
protect_from_forgery
with: :null_session
,
only: :execute
protect_from_forgery
with: :null_session
,
only: :execute
before_action
:check_graphql_feature_flag!
before_action
:check_graphql_feature_flag!
before_action
:authorize_access_api!
before_action
(
only:
[
:execute
])
{
authenticate_sessionless_user!
(
:api
)
}
before_action
(
only:
[
:execute
])
{
authenticate_sessionless_user!
(
:api
)
}
def
execute
def
execute
...
@@ -37,6 +38,10 @@ class GraphqlController < ApplicationController
...
@@ -37,6 +38,10 @@ class GraphqlController < ApplicationController
private
private
def
authorize_access_api!
access_denied!
(
"API not accessible for user."
)
unless
can?
(
current_user
,
:access_api
)
end
# Overridden from the ApplicationController to make the response look like
# Overridden from the ApplicationController to make the response look like
# a GraphQL response. That is nicely picked up in Graphiql.
# a GraphQL response. That is nicely picked up in Graphiql.
def
render_404
def
render_404
...
...
changelogs/unreleased/issue_58547.yml
0 → 100644
View file @
73b553a4
---
title
:
Add API access check to Graphql
merge_request
:
26570
author
:
type
:
other
spec/controllers/graphql_controller_spec.rb
0 → 100644
View file @
73b553a4
# frozen_string_literal: true
require
'spec_helper'
describe
GraphqlController
do
before
do
stub_feature_flags
(
graphql:
true
)
end
describe
'POST #execute'
do
context
'when user is logged in'
do
let
(
:user
)
{
create
(
:user
)
}
before
do
sign_in
(
user
)
end
it
'returns 200 when user can access API'
do
post
:execute
expect
(
response
).
to
have_gitlab_http_status
(
200
)
end
it
'returns access denied template when user cannot access API'
do
# User cannot access API in a couple of cases
# * When user is internal(like ghost users)
# * When user is blocked
expect
(
Ability
).
to
receive
(
:allowed?
).
with
(
user
,
:access_api
,
:global
).
and_return
(
false
)
post
:execute
expect
(
response
.
status
).
to
eq
(
403
)
expect
(
response
).
to
render_template
(
'errors/access_denied'
)
end
end
context
'when user is not logged in'
do
it
'returns 200'
do
post
:execute
expect
(
response
).
to
have_gitlab_http_status
(
200
)
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment