Allow authorize on array of objects for GraphQL

And add tests

Allow authorize on array of objects for GraphQL
And add tests
564b86a3 · Lin Jen-Shin · 7be1f084 · 564b86a3 · 564b86a3 · 564b86a3
Commit 564b86a3 authored Feb 12, 2019 by Lin Jen-Shin
4 changed files
--- a/app/graphql/types/project_type.rb
+++ b/app/graphql/types/project_type.rb
@@ -70,7 +70,7 @@ module Types
          Types::MergeRequestType.connection_type,
          null: true,
          resolver: Resolvers::MergeRequestsResolver do
-      # authorize :read_merge_request
+      authorize :read_merge_request
    end

    field :merge_request,

--- a/lib/gitlab/graphql/authorize/instrumentation.rb
+++ b/lib/gitlab/graphql/authorize/instrumentation.rb
@@ -35,10 +35,25 @@ module Gitlab
        private

        def build_checker(current_user, abilities)
-          proc do |obj|
+          lambda do |value|
            # Load the elements if they weren't loaded by BatchLoader yet
-            obj = obj.sync if obj.respond_to?(:sync)
-            obj if abilities.all? { |ability| Ability.allowed?(current_user, ability, obj) }
+            value = value.sync if value.respond_to?(:sync)
+
+            check = lambda do |object|
+              abilities.all? do |ability|
+                Ability.allowed?(current_user, ability, object)
+              end
+            end
+
+            checked =
+              case value
+              when Array
+                value.all?(&check)
+              else
+                check.call(value)
+              end
+
+            value if checked
          end
        end
      end

--- a/spec/graphql/types/project_type_spec.rb
+++ b/spec/graphql/types/project_type_spec.rb
@@ -15,7 +15,8 @@ describe GitlabSchema.types['Project'] do
    end

    it 'authorizes the merge requests' do
-      skip
+      expect(described_class.fields['mergeRequests'])
+        .to require_graphql_authorizations(:read_merge_request)
    end
  end


--- a/spec/lib/gitlab/graphql/authorize/instrumentation_spec.rb
+++ b/spec/lib/gitlab/graphql/authorize/instrumentation_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::Graphql::Authorize::Instrumentation do
+  describe '#build_checker' do
+    let(:current_user) { double(:current_user) }
+    let(:abilities) { [double(:first_ability), double(:last_ability)] }
+
+    let(:checker) do
+      described_class.new.__send__(:build_checker, current_user, abilities)
+    end
+
+    it 'returns a checker which checks for a single object' do
+      object = double(:object)
+
+      abilities.each do |ability|
+        spy_ability_check_for(ability, object)
+      end
+
+      expect(checker.call(object)).to eq(object)
+    end
+
+    it 'returns a checker which checks for all objects' do
+      objects = [double(:first), double(:last)]
+
+      abilities.each do |ability|
+        objects.each do |object|
+          spy_ability_check_for(ability, object)
+        end
+      end
+
+      expect(checker.call(objects)).to eq(objects)
+    end
+
+    def spy_ability_check_for(ability, object)
+      expect(Ability)
+        .to receive(:allowed?)
+        .with(current_user, ability, object)
+        .and_return(true)
+    end
+  end
+end