diff options
author | Mayra Cabrera <mcabrera@gitlab.com> | 2019-06-14 23:40:21 +0300 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2019-06-14 23:40:21 +0300 |
commit | d7f10c2949cef3fb6c15d4972cf8e8186d6d84a0 (patch) | |
tree | cc17c353be14a903723f55a715f70128e31439e8 /app | |
parent | ad722a4e1f588382f5c5c1848c0502864993c7e7 (diff) |
Do not blindly expose public project statistics
Add the missing check on GraphQL API for project statistics
Diffstat (limited to 'app')
-rw-r--r-- | app/graphql/types/project_statistics_type.rb | 2 | ||||
-rw-r--r-- | app/graphql/types/project_type.rb | 2 | ||||
-rw-r--r-- | app/policies/project_statistics_policy.rb | 5 |
3 files changed, 8 insertions, 1 deletions
diff --git a/app/graphql/types/project_statistics_type.rb b/app/graphql/types/project_statistics_type.rb index 62537361918..4000c6db280 100644 --- a/app/graphql/types/project_statistics_type.rb +++ b/app/graphql/types/project_statistics_type.rb @@ -4,6 +4,8 @@ module Types class ProjectStatisticsType < BaseObject graphql_name 'ProjectStatistics' + authorize :read_statistics + field :commit_count, GraphQL::INT_TYPE, null: false field :storage_size, GraphQL::INT_TYPE, null: false diff --git a/app/graphql/types/project_type.rb b/app/graphql/types/project_type.rb index 2236ffa394d..81914b70c7f 100644 --- a/app/graphql/types/project_type.rb +++ b/app/graphql/types/project_type.rb @@ -70,7 +70,7 @@ module Types field :group, Types::GroupType, null: true field :statistics, Types::ProjectStatisticsType, - null: false, + null: true, resolve: -> (obj, _args, _ctx) { Gitlab::Graphql::Loaders::BatchProjectStatisticsLoader.new(obj.id).find } field :repository, Types::RepositoryType, null: false diff --git a/app/policies/project_statistics_policy.rb b/app/policies/project_statistics_policy.rb new file mode 100644 index 00000000000..c0592f1ea13 --- /dev/null +++ b/app/policies/project_statistics_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class ProjectStatisticsPolicy < BasePolicy + delegate { @subject.project } +end |