Merge branch 'bvl-graphql-only-authorize-rendered-fields' into 'master'

Only check abilities on rendered GraphQL nodes Closes #58647 and #60355 See merge request gitlab-org/gitlab-ce!27273
author: Lin Jen-Shin <godfat@godfat.org> 2019-04-19 13:03:54 +0300
committer: Lin Jen-Shin <godfat@godfat.org> 2019-04-19 13:03:54 +0300
commit: 4d2bce770bdf1b12378d3c06f895cc73d46d6f9f (patch)
tree: 923cf5f33e3d69c57c718579f14797b4efcc98de /spec/requests
parent: fe1407b1fba62b14862613de563857f339e3c31b (diff)
parent: eca8e6f09b1800b58904582b527103b5c755e898 (diff)
1 files changed, 26 insertions, 2 deletions
diff --git a/spec/requests/api/graphql/project/issues_spec.rb b/spec/requests/api/graphql/project/issues_spec.rb
index c2934430821..4f9f916f22e 100644
--- a/spec/requests/api/graphql/project/issues_spec.rb
+++ b/spec/requests/api/graphql/project/issues_spec.rb
@@ -7,8 +7,8 @@ describe 'getting an issue list for a project' do
   let(:current_user) { create(:user) }
   let(:issues_data) { graphql_data['project']['issues']['edges'] }
   let!(:issues) do
-    create(:issue, project: project, discussion_locked: true)
-    create(:issue, project: project)
+    [create(:issue, project: project, discussion_locked: true),
+     create(:issue, project: project)]
   end
   let(:fields) do
     <<~QUERY
@@ -47,6 +47,30 @@ describe 'getting an issue list for a project' do
     expect(issues_data[1]['node']['discussionLocked']).to eq true
   end
 
+  context 'when limiting the number of results' do
+    let(:query) do
+      graphql_query_for(
+        'project',
+        { 'fullPath' => project.full_path },
+        "issues(first: 1) { #{fields} }"
+      )
+    end
+
+    it_behaves_like 'a working graphql query' do
+      before do
+        post_graphql(query, current_user: current_user)
+      end
+    end
+
+    it "is expected to check permissions on the first issue only" do
+      allow(Ability).to receive(:allowed?).and_call_original
+      # Newest first, we only want to see the newest checked
+      expect(Ability).not_to receive(:allowed?).with(current_user, :read_issue, issues.first)
+
+      post_graphql(query, current_user: current_user)
+    end
+  end
+
   context 'when the user does not have access to the issue' do
     it 'returns nil' do
       project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
author	Lin Jen-Shin <godfat@godfat.org>	2019-04-19 13:03:54 +0300
committer	Lin Jen-Shin <godfat@godfat.org>	2019-04-19 13:03:54 +0300
commit	4d2bce770bdf1b12378d3c06f895cc73d46d6f9f (patch)
tree	923cf5f33e3d69c57c718579f14797b4efcc98de /spec/requests
parent	fe1407b1fba62b14862613de563857f339e3c31b (diff)
parent	eca8e6f09b1800b58904582b527103b5c755e898 (diff)