Expose permissions on types in GraphQL

This adds a reusable way to expose permissions for a user to types in
GraphQL.

10 files changed, 189 insertions, 48 deletions

diff --git a/spec/graphql/types/merge_request_type_spec.rb b/spec/graphql/types/merge_request_type_spec.rb
new file mode 100644
index 00000000000..6e57122867a
--- /dev/null
+++ b/spec/graphql/types/merge_request_type_spec.rb
@@ -0,0 +1,5 @@
+require 'spec_helper'
+
+describe Types::MergeRequestType do
+  it { expect(described_class).to expose_permissions_using(Types::PermissionTypes::MergeRequest) }
+end
diff --git a/spec/graphql/types/permission_types/base_permission_type_spec.rb b/spec/graphql/types/permission_types/base_permission_type_spec.rb
new file mode 100644
index 00000000000..a7e51797047
--- /dev/null
+++ b/spec/graphql/types/permission_types/base_permission_type_spec.rb
@@ -0,0 +1,47 @@
+require 'spec_helper'
+
+describe Types::PermissionTypes::BasePermissionType do
+  let(:permitable) { double('permittable') }
+  let(:current_user) { build(:user) }
+  let(:context) { { current_user: current_user } }
+  subject(:test_type) do
+    Class.new(described_class) do
+      graphql_name 'TestClass'
+
+      permission_field :do_stuff, resolve: -> (_, _, _)  { true }
+      ability_field(:read_issue)
+      abilities :admin_issue
+    end
+  end
+
+  describe '.permission_field' do
+    it 'adds a field for the required permission' do
+      is_expected.to have_graphql_field(:do_stuff)
+    end
+  end
+
+  describe '.ability_field' do
+    it 'adds a field for the required permission' do
+      is_expected.to have_graphql_field(:read_issue)
+    end
+
+    it 'does not add a resolver block if another resolving param is passed' do
+      expected_keywords = {
+        name: :resolve_using_hash,
+        hash_key: :the_key,
+        type: GraphQL::BOOLEAN_TYPE,
+        description: "custom description",
+        null: false
+      }
+      expect(test_type).to receive(:field).with(expected_keywords)
+
+      test_type.ability_field :resolve_using_hash, hash_key: :the_key, description: "custom description"
+    end
+  end
+
+  describe '.abilities' do
+    it 'adds a field for the passed permissions' do
+      is_expected.to have_graphql_field(:admin_issue)
+    end
+  end
+end
diff --git a/spec/graphql/types/permission_types/merge_request_spec.rb b/spec/graphql/types/permission_types/merge_request_spec.rb
new file mode 100644
index 00000000000..e1026b01a74
--- /dev/null
+++ b/spec/graphql/types/permission_types/merge_request_spec.rb
@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe Types::PermissionTypes::MergeRequest do
+  it do
+    expected_permissions = [
+      :read_merge_request, :admin_merge_request, :update_merge_request,
+      :create_note, :push_to_source_branch, :remove_source_branch,
+      :cherry_pick_on_current_merge_request, :revert_on_current_merge_request
+    ]
+
+    expect(described_class).to have_graphql_fields(expected_permissions)
+  end
+end
diff --git a/spec/graphql/types/permission_types/merge_request_type_spec.rb b/spec/graphql/types/permission_types/merge_request_type_spec.rb
new file mode 100644
index 00000000000..6e57122867a
--- /dev/null
+++ b/spec/graphql/types/permission_types/merge_request_type_spec.rb
@@ -0,0 +1,5 @@
+require 'spec_helper'
+
+describe Types::MergeRequestType do
+  it { expect(described_class).to expose_permissions_using(Types::PermissionTypes::MergeRequest) }
+end
diff --git a/spec/graphql/types/permission_types/project_spec.rb b/spec/graphql/types/permission_types/project_spec.rb
new file mode 100644
index 00000000000..89eecef096e
--- /dev/null
+++ b/spec/graphql/types/permission_types/project_spec.rb
@@ -0,0 +1,18 @@
+require 'spec_helper'
+
+describe Types::PermissionTypes::Project do
+  it do
+    expected_permissions = [
+      :change_namespace, :change_visibility_level, :rename_project, :remove_project, :archive_project,
+      :remove_fork_project, :remove_pages, :read_project, :create_merge_request_in,
+      :read_wiki, :read_project_member, :create_issue,  :upload_file, :read_cycle_analytics,
+      :download_code, :download_wiki_code, :fork_project, :create_project_snippet,
+      :read_commit_status, :request_access, :create_pipeline, :create_pipeline_schedule,
+      :create_merge_request_from, :create_wiki, :push_code, :create_deployment, :push_to_delete_protected_branch,
+      :admin_wiki, :admin_project, :update_pages, :admin_remote_mirror, :create_label,
+      :update_wiki, :destroy_wiki, :create_pages, :destroy_pages
+    ]
+
+    expect(described_class).to have_graphql_fields(expected_permissions)
+  end
+end
diff --git a/spec/graphql/types/project_type_spec.rb b/spec/graphql/types/project_type_spec.rb
index b4eeca2e3f1..7b5bc335511 100644
--- a/spec/graphql/types/project_type_spec.rb
+++ b/spec/graphql/types/project_type_spec.rb
@@ -1,6 +1,8 @@
 require 'spec_helper'
 
 describe GitlabSchema.types['Project'] do
+  it { expect(described_class).to expose_permissions_using(Types::PermissionTypes::Project) }
+
   it { expect(described_class.graphql_name).to eq('Project') }
 
   describe 'nested merge request' do
diff --git a/spec/requests/api/graphql/project/merge_request_spec.rb b/spec/requests/api/graphql/project/merge_request_spec.rb
new file mode 100644
index 00000000000..ad57c43bc87
--- /dev/null
+++ b/spec/requests/api/graphql/project/merge_request_spec.rb
@@ -0,0 +1,70 @@
+require 'spec_helper'
+
+describe 'getting merge request information nested in a project' do
+  include GraphqlHelpers
+
+  let(:project) { create(:project, :repository, :public) }
+  let(:current_user) { create(:user) }
+  let(:merge_request_graphql_data) { graphql_data['project']['mergeRequest'] }
+  let!(:merge_request) { create(:merge_request, source_project: project) }
+
+  let(:query) do
+    graphql_query_for(
+      'project',
+      { 'fullPath' => project.full_path },
+      query_graphql_field('mergeRequest', iid: merge_request.iid)
+    )
+  end
+
+  it_behaves_like 'a working graphql query' do
+    before do
+      post_graphql(query, current_user: current_user)
+    end
+  end
+
+  it 'contains merge request information' do
+    post_graphql(query, current_user: current_user)
+
+    expect(merge_request_graphql_data).not_to be_nil
+  end
+
+  # This is a field coming from the `MergeRequestPresenter`
+  it 'includes a web_url' do
+    post_graphql(query, current_user: current_user)
+
+    expect(merge_request_graphql_data['webUrl']).to be_present
+  end
+
+  context 'permissions on the merge request' do
+    it 'includes the permissions for the current user on a public project' do
+      expected_permissions = {
+        'readMergeRequest' => true,
+        'adminMergeRequest' => false,
+        'createNote' => true,
+        'pushToSourceBranch' => false,
+        'removeSourceBranch' => false,
+        'cherryPickOnCurrentMergeRequest' => false,
+        'revertOnCurrentMergeRequest' => false,
+        'updateMergeRequest' => false
+      }
+      post_graphql(query, current_user: current_user)
+
+      permission_data = merge_request_graphql_data['userPermissions']
+
+      expect(permission_data).to be_present
+      expect(permission_data).to eq(expected_permissions)
+    end
+  end
+
+  context 'when the user does not have access to the merge request' do
+    let(:project) { create(:project, :public, :repository) }
+
+    it 'returns nil' do
+      project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
+
+      post_graphql(query)
+
+      expect(merge_request_graphql_data).to be_nil
+    end
+  end
+end
diff --git a/spec/requests/api/graphql/project_query_spec.rb b/spec/requests/api/graphql/project_query_spec.rb
index 796ffc9d569..a2b3dc5d121 100644
--- a/spec/requests/api/graphql/project_query_spec.rb
+++ b/spec/requests/api/graphql/project_query_spec.rb
@@ -26,50 +26,6 @@ describe 'getting project information' do
         post_graphql(query, current_user: current_user)
       end
     end
-
-    context 'when requesting a nested merge request' do
-      let(:merge_request) { create(:merge_request, source_project: project) }
-      let(:merge_request_graphql_data) { graphql_data['project']['mergeRequest'] }
-
-      let(:query) do
-        graphql_query_for(
-          'project',
-          { 'fullPath' => project.full_path },
-          query_graphql_field('mergeRequest', iid: merge_request.iid)
-        )
-      end
-
-      it_behaves_like 'a working graphql query' do
-        before do
-          post_graphql(query, current_user: current_user)
-        end
-      end
-
-      it 'contains merge request information' do
-        post_graphql(query, current_user: current_user)
-
-        expect(merge_request_graphql_data).not_to be_nil
-      end
-
-      # This is a field coming from the `MergeRequestPresenter`
-      it 'includes a web_url' do
-        post_graphql(query, current_user: current_user)
-
-        expect(merge_request_graphql_data['webUrl']).to be_present
-      end
-
-      context 'when the user does not have access to the merge request' do
-        let(:project) { create(:project, :public, :repository) }
-
-        it 'returns nil' do
-          project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
-
-          post_graphql(query)
-
-          expect(merge_request_graphql_data).to be_nil
-        end
-      end
-    end
   end
 
   context 'when the user does not have access to the project' do
diff --git a/spec/support/matchers/graphql_matchers.rb b/spec/support/matchers/graphql_matchers.rb
index d23cbaf4beb..be6fa4c71a0 100644
--- a/spec/support/matchers/graphql_matchers.rb
+++ b/spec/support/matchers/graphql_matchers.rb
@@ -7,9 +7,24 @@ RSpec::Matchers.define :require_graphql_authorizations do |*expected|
 end
 
 RSpec::Matchers.define :have_graphql_fields do |*expected|
+  def expected_field_names
+    expected.map { |name| GraphqlHelpers.fieldnamerize(name) }
+  end
+
   match do |kls|
-    field_names = expected.map { |name| GraphqlHelpers.fieldnamerize(name) }
-    expect(kls.fields.keys).to contain_exactly(*field_names)
+    expect(kls.fields.keys).to contain_exactly(*expected_field_names)
+  end
+
+  failure_message do |kls|
+    missing = expected_field_names - kls.fields.keys
+    extra = kls.fields.keys - expected_field_names
+
+    message = []
+
+    message << "is missing fields: <#{missing.inspect}>" if missing.any?
+    message << "contained unexpected fields: <#{extra.inspect}>" if extra.any?
+
+    message.join("\n")
   end
 end
 
@@ -44,3 +59,13 @@ RSpec::Matchers.define :have_graphql_resolver do |expected|
     end
   end
 end
+
+RSpec::Matchers.define :expose_permissions_using do |expected|
+  match do |type|
+    permission_field = type.fields['userPermissions']
+
+    expect(permission_field).not_to be_nil
+    expect(permission_field.type).to be_non_null
+    expect(permission_field.type.of_type.graphql_name).to eq(expected.graphql_name)
+  end
+end
diff --git a/spec/support/shared_examples/requests/graphql_shared_examples.rb b/spec/support/shared_examples/requests/graphql_shared_examples.rb
index 9b2b74593a5..fe7b7bc306f 100644
--- a/spec/support/shared_examples/requests/graphql_shared_examples.rb
+++ b/spec/support/shared_examples/requests/graphql_shared_examples.rb
@@ -3,8 +3,8 @@ require 'spec_helper'
 shared_examples 'a working graphql query' do
   include GraphqlHelpers
 
-  it 'is returns a successfull response', :aggregate_failures do
-    expect(response).to be_success
+  it 'returns a successful response', :aggregate_failures do
+    expect(response).to have_gitlab_http_status(:success)
     expect(graphql_errors['errors']).to be_nil
     expect(json_response.keys).to include('data')
   end