diff options
| author | Bob Van Landuyt <bob@gitlab.com> | 2019-06-26 09:59:28 +0300 |
|---|---|---|
| committer | Bob Van Landuyt <bob@gitlab.com> | 2019-06-26 09:59:28 +0300 |
| commit | 36db790a179ef8267161fc3735a3f1474bbde485 (patch) | |
| tree | d03703a4c4e310acaf112d7521f62db74b49a364 /lib | |
| parent | 8db4a54df0d57399e7bfd1723a16639862ca456c (diff) | |
| parent | bbdcbd98aed2bfb4eba008669d3fca500b6e0ace (diff) | |
Merge branch 'graphql-error-when-authorizing-with-no-permissions-defined' into 'master'
Sanity check for GraphQL authorized?
See merge request gitlab-org/gitlab-ce!29921
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/graphql/authorize/authorize_resource.rb | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/lib/gitlab/graphql/authorize/authorize_resource.rb b/lib/gitlab/graphql/authorize/authorize_resource.rb index b367a97105c..ef5caaf5b0e 100644 --- a/lib/gitlab/graphql/authorize/authorize_resource.rb +++ b/lib/gitlab/graphql/authorize/authorize_resource.rb @@ -27,12 +27,6 @@ module Gitlab raise NotImplementedError, "Implement #find_object in #{self.class.name}" end - def authorized_find(*args) - object = find_object(*args) - - object if authorized?(object) - end - def authorized_find!(*args) object = find_object(*args) authorize!(object) @@ -48,6 +42,12 @@ module Gitlab end def authorized?(object) + # Sanity check. We don't want to accidentally allow a developer to authorize + # without first adding permissions to authorize against + if self.class.required_permissions.empty? + raise Gitlab::Graphql::Errors::ArgumentError, "#{self.class.name} has no authorizations" + end + self.class.required_permissions.all? do |ability| # The actions could be performed across multiple objects. In which # case the current user is common, and we could benefit from the |