diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-04-27 11:57:43 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-04-27 11:57:43 +0300 |
commit | bc299f54e841488b4ab37777761db1dfc7f3b60e (patch) | |
tree | bf58693acb03633a63138874072e3d3af3ee9f76 /lib/gitlab/graphql | |
parent | 2fad41087674984a064cf6a312ac34c16bb2a1aa (diff) |
Add latest changes from gitlab-org/security/gitlab@13-11-stable-ee
Diffstat (limited to 'lib/gitlab/graphql')
-rw-r--r-- | lib/gitlab/graphql/authorize/object_authorization.rb | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/lib/gitlab/graphql/authorize/object_authorization.rb b/lib/gitlab/graphql/authorize/object_authorization.rb index 0bc87108871..f13acc9ea27 100644 --- a/lib/gitlab/graphql/authorize/object_authorization.rb +++ b/lib/gitlab/graphql/authorize/object_authorization.rb @@ -4,10 +4,11 @@ module Gitlab module Graphql module Authorize class ObjectAuthorization - attr_reader :abilities + attr_reader :abilities, :permitted_scopes - def initialize(abilities) + def initialize(abilities, scopes = %i[api read_api]) @abilities = Array.wrap(abilities).flatten + @permitted_scopes = Array.wrap(scopes) end def none? @@ -18,7 +19,13 @@ module Gitlab abilities.present? end - def ok?(object, current_user) + def ok?(object, current_user, scope_validator: nil) + scopes_ok?(scope_validator) && abilities_ok?(object, current_user) + end + + private + + def abilities_ok?(object, current_user) return true if none? subject = object.try(:declarative_policy_subject) || object @@ -26,6 +33,12 @@ module Gitlab Ability.allowed?(current_user, ability, subject) end end + + def scopes_ok?(validator) + return true unless validator.present? + + validator.valid_for?(permitted_scopes) + end end end end |