Merge branch 'update-authorization-jobs' into 'master'

Updates authorization type to JobType See merge request gitlab-org/gitlab!74548

Merge branch 'update-authorization-jobs' into 'master'
Updates authorization type to JobType See merge request gitlab-org/gitlab!74548
aaf32baa · Stan Hu · 0d731566 · f2fcf232 · aaf32baa · aaf32baa
Commit aaf32baa authored Nov 30, 2021 by Stan Hu
5 changed files
--- a/app/graphql/types/ci/pipeline_type.rb
+++ b/app/graphql/types/ci/pipeline_type.rb
@@ -66,7 +66,7 @@ module Types
      field :stages,
            type: Types::Ci::StageType.connection_type,
            null: true,
-            authorize: :read_commit_status,
+            authorize: :read_build,
            description: 'Stages of the pipeline.',
            extras: [:lookahead],
            resolver: Resolvers::Ci::PipelineStagesResolver
@@ -89,14 +89,14 @@ module Types
      field :jobs,
            ::Types::Ci::JobType.connection_type,
            null: true,
-            authorize: :read_commit_status,
+            authorize: :read_build,
            description: 'Jobs belonging to the pipeline.',
            resolver: ::Resolvers::Ci::JobsResolver

      field :job,
            type: ::Types::Ci::JobType,
            null: true,
-            authorize: :read_commit_status,
+            authorize: :read_build,
            description: 'Specific job in this pipeline, either by name or ID.' do
        argument :id,
                 type: ::Types::GlobalIDType[::CommitStatus],
@@ -116,7 +116,7 @@ module Types
      field :source_job,
            type: Types::Ci::JobType,
            null: true,
-            authorize: :read_commit_status,
+            authorize: :read_build,
            description: 'Job where pipeline was triggered from.'

      field :downstream, Types::Ci::PipelineType.connection_type, null: true,

--- a/app/graphql/types/ci/stage_type.rb
+++ b/app/graphql/types/ci/stage_type.rb
@@ -4,7 +4,7 @@ module Types
  module Ci
    class StageType < BaseObject
      graphql_name 'CiStage'
-      authorize :read_commit_status
+      authorize :read_build

      field :id, GraphQL::Types::ID, null: false,
            description: 'ID of the stage.'

--- a/app/graphql/types/project_type.rb
+++ b/app/graphql/types/project_type.rb
@@ -194,7 +194,7 @@ module Types
    field :jobs,
          type: Types::Ci::JobType.connection_type,
          null: true,
-          authorize: :read_commit_status,
+          authorize: :read_build,
          description: 'Jobs of a project. This field can only be resolved for one project in any single request.',
          resolver: Resolvers::ProjectJobsResolver


--- a/spec/requests/api/graphql/ci/pipelines_spec.rb
+++ b/spec/requests/api/graphql/ci/pipelines_spec.rb
@@ -79,12 +79,13 @@ RSpec.describe 'Query.project(fullPath).pipelines' do
      create(:ci_build, pipeline: pipeline, stage_id: other_stage.id, name: 'linux: [baz]')
    end

-    it 'is null if the user is a guest' do
+    it 'is present if the user has guest access' do
      project.add_guest(user)

-      post_graphql(query, current_user: user, variables: first_n.with(1))
+      post_graphql(query, current_user: user)

-      expect(graphql_data_at(:project, :pipelines, :nodes)).to contain_exactly a_hash_including('stages' => be_nil)
+      expect(graphql_data_at(:project, :pipelines, :nodes, :stages, :nodes, :name))
+        .to contain_exactly(eq(stage.name), eq(other_stage.name))
    end

    it 'is present if the user has reporter access' do
@@ -113,12 +114,13 @@ RSpec.describe 'Query.project(fullPath).pipelines' do
        wrap_fields(query_graphql_path(query_path, :name))
      end

-      it 'is empty if the user is a guest' do
+      it 'is present if the user has guest access' do
        project.add_guest(user)

        post_graphql(query, current_user: user)

-        expect(graphql_data_at(:project, :pipelines, :nodes, :stages, :nodes, :groups)).to be_empty
+        expect(graphql_data_at(:project, :pipelines, :nodes, :stages, :nodes, :groups, :nodes, :name))
+          .to contain_exactly('linux', 'linux')
      end

      it 'is present if the user has reporter access' do

--- a/spec/requests/api/graphql/project_query_spec.rb
+++ b/spec/requests/api/graphql/project_query_spec.rb
@@ -143,6 +143,40 @@ RSpec.describe 'getting project information' do
    end
  end

+  context 'when the user has guest access' do
+    context 'when the project has public pipelines' do
+      before do
+        pipeline = create(:ci_pipeline, project: project)
+        create(:ci_build, project: project, pipeline: pipeline, name: 'a test job')
+        project.add_guest(current_user)
+      end
+
+      it 'shows all jobs' do
+        query = <<~GQL
+          query {
+            project(fullPath: "#{project.full_path}") {
+              jobs {
+                nodes {
+                  name
+                  stage {
+                    name
+                  }
+                }
+              }
+            }
+          }
+        GQL
+
+        post_graphql(query, current_user: current_user)
+
+        expect(graphql_data_at(:project, :jobs, :nodes)).to contain_exactly({
+          'name' => 'a test job',
+          'stage' => { 'name' => 'test' }
+        })
+      end
+    end
+  end
+
  context 'when the user does not have access to the project' do
    it 'returns an empty field' do
      post_graphql(query, current_user: current_user)