Instead of returning all or nothing, return whichever passed

And add tests

lib/gitlab/graphql/authorize/instrumentation.rb

@@ -45,15 +45,12 @@ module Gitlab
               end
             end
 
-            checked =
             case value
             when Array
-                value.all?(&check)
+              value.select(&check)
             else
-                check.call(value)
+              value if check.call(value)
             end
-
-            value if checked
           end
         end
       end

spec/lib/gitlab/graphql/authorize/instrumentation_spec.rb

@@ -15,7 +15,7 @@ describe Gitlab::Graphql::Authorize::Instrumentation do
       object = double(:object)
 
       abilities.each do |ability|
-        spy_ability_check_for(ability, object)
+        spy_ability_check_for(ability, object, passed: true)
       end
 
       expect(checker.call(object)).to eq(object)
@@ -26,18 +26,42 @@ describe Gitlab::Graphql::Authorize::Instrumentation do
 
       abilities.each do |ability|
         objects.each do |object|
-          spy_ability_check_for(ability, object)
+          spy_ability_check_for(ability, object, passed: true)
         end
       end
 
       expect(checker.call(objects)).to eq(objects)
     end
 
-    def spy_ability_check_for(ability, object)
+    context 'when some objects would not pass the check' do
+      it 'returns nil when it is single object' do
+        disallowed = double(:object)
+
+        spy_ability_check_for(abilities.first, disallowed, passed: false)
+
+        expect(checker.call(disallowed)).to be_nil
+      end
+
+      it 'returns only objects which passed when there are more than one' do
+        allowed = double(:allowed)
+        disallowed = double(:disallowed)
+
+        spy_ability_check_for(abilities.first, disallowed, passed: false)
+
+        abilities.each do |ability|
+          spy_ability_check_for(ability, allowed, passed: true)
+        end
+
+        expect(checker.call([disallowed, allowed]))
+          .to contain_exactly(allowed)
+      end
+    end
+
+    def spy_ability_check_for(ability, object, passed: true)
       expect(Ability)
         .to receive(:allowed?)
         .with(current_user, ability, object)
-        .and_return(true)
+        .and_return(passed)
     end
   end
 end

spec/requests/api/graphql/project/issues_spec.rb

@@ -56,4 +56,40 @@ describe 'getting an issue list for a project' do
       expect(issues_data).to eq []
     end
   end
+
+  context 'when there is a confidential issue' do
+    let!(:confidential_issue) do
+      create(:issue, :confidential, project: project)
+    end
+
+    context 'when the user cannot see confidential issues' do
+      it 'returns issues without confidential issues' do
+        post_graphql(query, current_user: current_user)
+
+        expect(issues_data.size).to eq(2)
+
+        issues_data.each do |issue|
+          expect(issue.dig('node', 'confidential')).to eq(false)
+        end
+      end
+    end
+
+    context 'when the user can see confidential issues' do
+      before do
+        project.add_developer(current_user)
+      end
+
+      it 'returns issues with confidential issues' do
+        post_graphql(query, current_user: current_user)
+
+        expect(issues_data.size).to eq(3)
+
+        confidentials = issues_data.map do |issue|
+          issue.dig('node', 'confidential')
+        end
+
+        expect(confidentials).to eq([true, false, false])
+      end
+    end
+  end
 end