Add latest changes from gitlab-org/security/gitlab@13-11-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-04-27 11:57:43 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-04-27 11:57:43 +0300
commit: bc299f54e841488b4ab37777761db1dfc7f3b60e (patch)
tree: bf58693acb03633a63138874072e3d3af3ee9f76 /app/graphql
parent: 2fad41087674984a064cf6a312ac34c16bb2a1aa (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/app/graphql/mutations/base_mutation.rb b/app/graphql/mutations/base_mutation.rb
index 1f18a37fcb9..da658e1f108 100644
--- a/app/graphql/mutations/base_mutation.rb
+++ b/app/graphql/mutations/base_mutation.rb
@@ -44,9 +44,18 @@ module Mutations
       end
     end
 
+    def self.authorizes_object?
+      true
+    end
+
     def self.authorized?(object, context)
-      # we never provide an object to mutations, but we do need to have a user.
-      context[:current_user].present? && !context[:current_user].blocked?
+      auth = ::Gitlab::Graphql::Authorize::ObjectAuthorization.new(:execute_graphql_mutation, :api)
+
+      return true if auth.ok?(:global, context[:current_user],
+                              scope_validator: context[:scope_validator])
+
+      # in our mutations we raise, rather than returning a null value.
+      raise_resource_not_available_error!
     end
 
     # See: AuthorizeResource#authorized_resource?
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-04-27 11:57:43 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-04-27 11:57:43 +0300
commit	bc299f54e841488b4ab37777761db1dfc7f3b60e (patch)
tree	bf58693acb03633a63138874072e3d3af3ee9f76 /app/graphql
parent	2fad41087674984a064cf6a312ac34c16bb2a1aa (diff)