diff options
Diffstat (limited to 'app/graphql/types/ci/job_base_field.rb')
-rw-r--r-- | app/graphql/types/ci/job_base_field.rb | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/app/graphql/types/ci/job_base_field.rb b/app/graphql/types/ci/job_base_field.rb new file mode 100644 index 00000000000..979f1748494 --- /dev/null +++ b/app/graphql/types/ci/job_base_field.rb @@ -0,0 +1,35 @@ +# frozen_string_literal: true + +module Types + module Ci + # JobBaseField ensures that only allow-listed fields can be returned without a permission check. + # All other fields go through a permissions check based on the :job_field_authorization value passed in the context. + # rubocop: disable Graphql/AuthorizeTypes + class JobBaseField < ::Types::BaseField + PUBLIC_FIELDS = %i[allow_failure duration id kind status created_at finished_at queued_at queued_duration + updated_at runner].freeze + + attr_accessor :if_unauthorized + + def initialize(**kwargs, &block) + @if_unauthorized = kwargs.delete(:if_unauthorized) + + super + end + + def authorized?(object, args, ctx) + current_user = ctx[:current_user] + permission = ctx[:job_field_authorization] + + if permission.nil? || + PUBLIC_FIELDS.include?(ctx[:current_field].original_name) || + current_user.can?(permission, object) + return super + end + + false + end + end + # rubocop: enable Graphql/AuthorizeTypes + end +end |