diff options
Diffstat (limited to 'lib/gitlab/graphql/authorize/authorize_field_service.rb')
-rw-r--r-- | lib/gitlab/graphql/authorize/authorize_field_service.rb | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/gitlab/graphql/authorize/authorize_field_service.rb b/lib/gitlab/graphql/authorize/authorize_field_service.rb index 61668b634fd..cbf3e7b8429 100644 --- a/lib/gitlab/graphql/authorize/authorize_field_service.rb +++ b/lib/gitlab/graphql/authorize/authorize_field_service.rb @@ -84,13 +84,25 @@ module Gitlab elsif resolved_type.is_a? Array # A simple list of rendered types each object being an object to authorize resolved_type.select do |single_object_type| - allowed_access?(current_user, single_object_type.object) + allowed_access?(current_user, realized(single_object_type).object) end else raise "Can't authorize #{@field}" end end + # Ensure that we are dealing with realized objects, not delayed promises + def realized(thing) + case thing + when BatchLoader::GraphQL + thing.sync + when GraphQL::Execution::Lazy + thing.value # part of the private api, but we need to unwrap it here. + else + thing + end + end + def allowed_access?(current_user, object) object = object.sync if object.respond_to?(:sync) |