diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-25 19:54:51 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-25 19:54:51 +0300 |
| commit | cdc3d9991b0cca2d2243bdf452f61aae40d778cd (patch) | |
| tree | f05b5b8c2e3fd10e210c35637292f3d28ac6f510 /spec/graphql | |
| parent | e92c90758eb4126acc84962d37bb273d6d87b27b (diff) | |
Add latest changes from gitlab-org/security/gitlab@14-8-stable-ee
Diffstat (limited to 'spec/graphql')
| -rw-r--r-- | spec/graphql/resolvers/users_resolver_spec.rb | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/spec/graphql/resolvers/users_resolver_spec.rb b/spec/graphql/resolvers/users_resolver_spec.rb index 031d7c99eef..29947c33430 100644 --- a/spec/graphql/resolvers/users_resolver_spec.rb +++ b/spec/graphql/resolvers/users_resolver_spec.rb @@ -7,6 +7,7 @@ RSpec.describe Resolvers::UsersResolver do let_it_be(:user1) { create(:user, name: "SomePerson") } let_it_be(:user2) { create(:user, username: "someone123784") } + let_it_be(:current_user) { create(:user) } specify do expect(described_class).to have_nullable_graphql_type(Types::UserType.connection_type) @@ -14,14 +15,14 @@ RSpec.describe Resolvers::UsersResolver do describe '#resolve' do it 'raises an error when read_users_list is not authorized' do - expect(Ability).to receive(:allowed?).with(nil, :read_users_list).and_return(false) + expect(Ability).to receive(:allowed?).with(current_user, :read_users_list).and_return(false) expect { resolve_users }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable) end context 'when no arguments are passed' do it 'returns all users' do - expect(resolve_users).to contain_exactly(user1, user2) + expect(resolve_users).to contain_exactly(user1, user2, current_user) end end @@ -65,9 +66,21 @@ RSpec.describe Resolvers::UsersResolver do expect(resolve_users( args: { search: "someperson" } )).to contain_exactly(user1) end end + + context 'with anonymous access' do + let_it_be(:current_user) { nil } + + it 'prohibits search without usernames passed' do + expect { resolve_users }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable) + end + + it 'allows to search by username' do + expect(resolve_users(args: { usernames: [user1.username] })).to contain_exactly(user1) + end + end end def resolve_users(args: {}, ctx: {}) - resolve(described_class, args: args, ctx: ctx) + resolve(described_class, args: args, ctx: { current_user: current_user }.merge(ctx)) end end |