Check authorization to view billableMembersCount

In our GrahpQL GroupType we should only return the billable member type for users who are authorized to view it (group owners) Changelog: fixed EE: true

Check authorization to view billableMembersCount
In our GrahpQL GroupType we should only return the billable member type for users who are authorized to view it (group owners) Changelog: fixed EE: true
1a23f5e6 · Vijay Hawoldar · fecbce92 · 1a23f5e6 · 1a23f5e6
Commit 1a23f5e6 authored Mar 09, 2022 by Vijay Hawoldar
Showing with 55 additions and 42 deletions

ee/app/graphql/ee/types/group_type.rb ee/app/graphql/ee/types/group_type.rb +1 -0

ee/spec/graphql/ee/types/group_type_spec.rb ee/spec/graphql/ee/types/group_type_spec.rb +54 -42

No files found.
--- a/ee/app/graphql/ee/types/group_type.rb
+++ b/ee/app/graphql/ee/types/group_type.rb
@@ -85,6 +85,7 @@ module EE

        field :billable_members_count, ::GraphQL::Types::Int,
              null: true,
+              authorize: :owner_access,
              description: 'Number of billable users in the group.' do
                argument :requested_hosted_plan, String, required: false, description: 'Plan from which to get billable members.'
              end

--- a/ee/spec/graphql/ee/types/group_type_spec.rb
+++ b/ee/spec/graphql/ee/types/group_type_spec.rb
@@ -69,20 +69,15 @@ RSpec.describe GitlabSchema.types['Group'] do
  describe 'billable members count' do
    let_it_be(:group) { create(:group) }
    let_it_be(:project) { create(:project, namespace: group) }
-    let_it_be(:user1) { create(:user) }
-    let_it_be(:user2) { create(:user) }
-    let_it_be(:user3) { create(:user) }
-    let_it_be(:user4) { create(:user) }
-
-    before do
-      group.add_developer(user1)
-      group.add_guest(user2)
-      project.add_developer(user3)
-      project.add_guest(user4)
-    end
-
-    it "returns billable users count including guests when no plan is provided" do
-      query = <<~GQL
+    let_it_be(:group_owner) { create(:user) }
+    let_it_be(:group_developer) { create(:user) }
+    let_it_be(:group_guest) { create(:user) }
+    let_it_be(:project_developer) { create(:user) }
+    let_it_be(:project_guest) { create(:user) }
+
+    let(:current_user) { group_owner }
+    let(:query) do
+      <<~GQL
        query {
          group(fullPath: "#{group.full_path}") {
            id,
@@ -90,46 +85,63 @@ RSpec.describe GitlabSchema.types['Group'] do
          }
        }
      GQL
+    end

-      result = GitlabSchema.execute(query, context: { current_user: user1 }).as_json
+    before do
+      group.add_owner(group_owner)
+      group.add_developer(group_developer)
+      group.add_guest(group_guest)
+      project.add_developer(project_developer)
+      project.add_guest(project_guest)
+    end

-      billable_members_count = result.dig('data', 'group', 'billableMembersCount')
+    subject(:billable_members_count) do
+      result = GitlabSchema.execute(query, context: { current_user: current_user }).as_json

-      expect(billable_members_count).to eq(4)
+      result.dig('data', 'group', 'billableMembersCount')
    end

-    it "returns billable users count including guests when a plan that should include guests is provided" do
-      query = <<~GQL
-        query {
-          group(fullPath: "#{group.full_path}") {
-            id,
-            billableMembersCount(requestedHostedPlan: "#{::Plan::SILVER}")
-          }
-        }
-      GQL
+    context 'when no plan is provided' do
+      it 'returns billable users count including guests' do
+        expect(billable_members_count).to eq(5)
+      end
+    end

-      result = GitlabSchema.execute(query, context: { current_user: user1 }).as_json
+    context 'when a plan is provided' do
+      let(:query) do
+        <<~GQL
+          query {
+            group(fullPath: "#{group.full_path}") {
+              id,
+              billableMembersCount(requestedHostedPlan: "#{plan}")
+            }
+          }
+        GQL
+      end

-      billable_members_count = result.dig('data', 'group', 'billableMembersCount')
+      context 'with a plan that should include guests is provided' do
+        let(:plan) { ::Plan::SILVER }

-      expect(billable_members_count).to eq(4)
-    end
+        it 'returns billable users count including guests' do
+          expect(billable_members_count).to eq(5)
+        end
+      end

-    it "returns billable users count excluding guests when a plan that should exclude guests is provided" do
-      query = <<~GQL
-        query {
-          group(fullPath: "#{group.full_path}") {
-            id,
-            billableMembersCount(requestedHostedPlan: "#{::Plan::ULTIMATE}")
-          }
-        }
-      GQL
+      context 'with a plan that should exclude guests is provided' do
+        let(:plan) { ::Plan::ULTIMATE }

-      result = GitlabSchema.execute(query, context: { current_user: user1 }).as_json
+        it 'returns billable users count excluding guests when a plan that should exclude guests is provided' do
+          expect(billable_members_count).to eq(3)
+        end
+      end
+    end

-      billable_members_count = result.dig('data', 'group', 'billableMembersCount')
+    context 'without owner authorization' do
+      let(:current_user) { group_developer }

-      expect(billable_members_count).to eq(2)
+      it 'does not return the billable members count' do
+        expect(billable_members_count).to be_nil
+      end
    end
  end