Merge branch '60800-properly-authorize-our-own-graphql-scalar-types' into 'master'

Properly authorize our own GraphQL scalar types Closes #60800 See merge request gitlab-org/gitlab-ce!27563

Merge branch '60800-properly-authorize-our-own-graphql-scalar-types' into 'master'
Properly authorize our own GraphQL scalar types Closes #60800 See merge request gitlab-org/gitlab-ce!27563
8e418477 · Dmitriy Zaporozhets · d056d9d4 · eff42d59 · 8e418477 · 8e418477
Commit 8e418477 authored Apr 24, 2019 by Dmitriy Zaporozhets
2 changed files
--- a/lib/gitlab/graphql/authorize/authorize_field_service.rb
+++ b/lib/gitlab/graphql/authorize/authorize_field_service.rb
@@ -48,7 +48,7 @@ module Gitlab
        end

        def authorize_against(parent_typed_object, resolved_type)
-          if built_in_type?
+          if scalar_type?
            # The field is a built-in/scalar type, or a list of scalars
            # authorize using the parent's object
            parent_typed_object.object
@@ -108,8 +108,8 @@ module Gitlab
          type.unwrap
        end

-        def built_in_type?
-          GraphQL::Schema::BUILT_IN_TYPES.has_value?(node_type_for_basic_connection(@field.type))
+        def scalar_type?
+          node_type_for_basic_connection(@field.type).kind.scalar?
        end
      end
    end

--- a/spec/lib/gitlab/graphql/authorize/authorize_field_service_spec.rb
+++ b/spec/lib/gitlab/graphql/authorize/authorize_field_service_spec.rb
@@ -45,7 +45,7 @@ describe Gitlab::Graphql::Authorize::AuthorizeFieldService do
        end
      end

-      context "when the field is a scalar type" do
+      context "when the field is a built-in scalar type" do
        let(:field) { type_with_field(GraphQL::STRING_TYPE, :read_field).fields["testField"].to_graphql }
        let(:expected_permissions) { [:read_field] }

@@ -58,6 +58,20 @@ describe Gitlab::Graphql::Authorize::AuthorizeFieldService do

        it_behaves_like "checking permissions on the presented object"
      end
+
+      context "when the field is sub-classed scalar type" do
+        let(:field) { type_with_field(Types::TimeType, :read_field).fields["testField"].to_graphql }
+        let(:expected_permissions) { [:read_field] }
+
+        it_behaves_like "checking permissions on the presented object"
+      end
+
+      context "when the field is a list of sub-classed scalar types" do
+        let(:field) { type_with_field([Types::TimeType], :read_field).fields["testField"].to_graphql }
+        let(:expected_permissions) { [:read_field] }
+
+        it_behaves_like "checking permissions on the presented object"
+      end
    end

    context "when the field is a specific type" do