Commit 1a23f5e6 authored by Vijay Hawoldar's avatar Vijay Hawoldar

Check authorization to view billableMembersCount

In our GrahpQL GroupType we should only return the billable member type
for users who are authorized to view it (group owners)

Changelog: fixed
EE: true
parent fecbce92
...@@ -85,6 +85,7 @@ module EE ...@@ -85,6 +85,7 @@ module EE
field :billable_members_count, ::GraphQL::Types::Int, field :billable_members_count, ::GraphQL::Types::Int,
null: true, null: true,
authorize: :owner_access,
description: 'Number of billable users in the group.' do description: 'Number of billable users in the group.' do
argument :requested_hosted_plan, String, required: false, description: 'Plan from which to get billable members.' argument :requested_hosted_plan, String, required: false, description: 'Plan from which to get billable members.'
end end
......
...@@ -69,20 +69,15 @@ RSpec.describe GitlabSchema.types['Group'] do ...@@ -69,20 +69,15 @@ RSpec.describe GitlabSchema.types['Group'] do
describe 'billable members count' do describe 'billable members count' do
let_it_be(:group) { create(:group) } let_it_be(:group) { create(:group) }
let_it_be(:project) { create(:project, namespace: group) } let_it_be(:project) { create(:project, namespace: group) }
let_it_be(:user1) { create(:user) } let_it_be(:group_owner) { create(:user) }
let_it_be(:user2) { create(:user) } let_it_be(:group_developer) { create(:user) }
let_it_be(:user3) { create(:user) } let_it_be(:group_guest) { create(:user) }
let_it_be(:user4) { create(:user) } let_it_be(:project_developer) { create(:user) }
let_it_be(:project_guest) { create(:user) }
before do
group.add_developer(user1) let(:current_user) { group_owner }
group.add_guest(user2) let(:query) do
project.add_developer(user3) <<~GQL
project.add_guest(user4)
end
it "returns billable users count including guests when no plan is provided" do
query = <<~GQL
query { query {
group(fullPath: "#{group.full_path}") { group(fullPath: "#{group.full_path}") {
id, id,
...@@ -90,46 +85,63 @@ RSpec.describe GitlabSchema.types['Group'] do ...@@ -90,46 +85,63 @@ RSpec.describe GitlabSchema.types['Group'] do
} }
} }
GQL GQL
end
before do
group.add_owner(group_owner)
group.add_developer(group_developer)
group.add_guest(group_guest)
project.add_developer(project_developer)
project.add_guest(project_guest)
end
result = GitlabSchema.execute(query, context: { current_user: user1 }).as_json subject(:billable_members_count) do
result = GitlabSchema.execute(query, context: { current_user: current_user }).as_json
billable_members_count = result.dig('data', 'group', 'billableMembersCount') result.dig('data', 'group', 'billableMembersCount')
end
expect(billable_members_count).to eq(4) context 'when no plan is provided' do
it 'returns billable users count including guests' do
expect(billable_members_count).to eq(5)
end
end end
it "returns billable users count including guests when a plan that should include guests is provided" do context 'when a plan is provided' do
query = <<~GQL let(:query) do
<<~GQL
query { query {
group(fullPath: "#{group.full_path}") { group(fullPath: "#{group.full_path}") {
id, id,
billableMembersCount(requestedHostedPlan: "#{::Plan::SILVER}") billableMembersCount(requestedHostedPlan: "#{plan}")
} }
} }
GQL GQL
end
result = GitlabSchema.execute(query, context: { current_user: user1 }).as_json context 'with a plan that should include guests is provided' do
let(:plan) { ::Plan::SILVER }
billable_members_count = result.dig('data', 'group', 'billableMembersCount')
expect(billable_members_count).to eq(4) it 'returns billable users count including guests' do
expect(billable_members_count).to eq(5)
end
end end
it "returns billable users count excluding guests when a plan that should exclude guests is provided" do context 'with a plan that should exclude guests is provided' do
query = <<~GQL let(:plan) { ::Plan::ULTIMATE }
query {
group(fullPath: "#{group.full_path}") {
id,
billableMembersCount(requestedHostedPlan: "#{::Plan::ULTIMATE}")
}
}
GQL
result = GitlabSchema.execute(query, context: { current_user: user1 }).as_json it 'returns billable users count excluding guests when a plan that should exclude guests is provided' do
expect(billable_members_count).to eq(3)
end
end
end
billable_members_count = result.dig('data', 'group', 'billableMembersCount') context 'without owner authorization' do
let(:current_user) { group_developer }
expect(billable_members_count).to eq(2) it 'does not return the billable members count' do
expect(billable_members_count).to be_nil
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment