diff options
Diffstat (limited to 'spec/graphql/features/authorization_spec.rb')
-rw-r--r-- | spec/graphql/features/authorization_spec.rb | 76 |
1 files changed, 61 insertions, 15 deletions
diff --git a/spec/graphql/features/authorization_spec.rb b/spec/graphql/features/authorization_spec.rb index 514f63a6f5a..4f8ae92ff99 100644 --- a/spec/graphql/features/authorization_spec.rb +++ b/spec/graphql/features/authorization_spec.rb @@ -10,17 +10,14 @@ RSpec.describe 'DeclarativePolicy authorization in GraphQL ' do let(:permission_single) { :foo } let(:permission_collection) { [:foo, :bar] } - let(:test_object) { double(name: 'My name') } + let(:test_object) { double(name: 'My name', address: 'Worldwide') } let(:authorizing_object) { test_object } # to override when combining permissions let(:permission_object_one) { authorizing_object } let(:permission_object_two) { authorizing_object } let(:query_string) { '{ item { name } }' } - let(:result) do - schema = empty_schema - execute_query(query_type, schema: schema) - end + let(:result) { execute_query(query_type) } subject { result.dig('data', 'item') } @@ -103,47 +100,47 @@ RSpec.describe 'DeclarativePolicy authorization in GraphQL ' do end describe 'with a single permission' do + let(:query_string) { '{ item { name address } }' } let(:type) do type_factory do |type| - type.field :name, GraphQL::Types::String, null: true, authorize: permission_single + type.field :address, GraphQL::Types::String, null: true, authorize: permission_single end end it 'returns the protected field when user has permission' do permit(permission_single) - expect(subject).to eq('name' => test_object.name) + expect(subject).to include('address' => test_object.address) end it 'returns nil when user is not authorized' do - expect(subject).to eq('name' => nil) + expect(subject).to include('address' => nil) end end describe 'with a collection of permissions' do + let(:query_string) { '{ item { name address } }' } let(:type) do permissions = permission_collection type_factory do |type| - type.field :name, GraphQL::Types::String, - null: true, - authorize: permissions + type.field :address, GraphQL::Types::String, null: true, authorize: permissions end end it 'returns the protected field when user has all permissions' do permit(*permission_collection) - expect(subject).to eq('name' => test_object.name) + expect(subject).to include('address' => test_object.address) end it 'returns nil when user only has one of the permissions' do permit(permission_collection.first) - expect(subject).to eq('name' => nil) + expect(subject).to include('address' => nil) end it 'returns nil when user only has none of the permissions' do - expect(subject).to eq('name' => nil) + expect(subject).to include('address' => nil) end end end @@ -179,7 +176,7 @@ RSpec.describe 'DeclarativePolicy authorization in GraphQL ' do describe 'type and field authorizations together' do let(:authorizing_object) { anything } let(:permission_1) { permission_collection.first } - let(:permission_2) { permission_collection.last } + let(:permission_2) { permission_collection.second } let(:type) do type_factory do |type| @@ -224,6 +221,55 @@ RSpec.describe 'DeclarativePolicy authorization in GraphQL ' do include_examples 'authorization with a collection of permissions' end + context 'when the resolver is a subclass of one that authorizes the object' do + let(:permission_object_one) { be_nil } + let(:permission_object_two) { be_nil } + let(:parent) do + parent = Class.new(Resolvers::BaseResolver) + parent.include(::Gitlab::Graphql::Authorize::AuthorizeResource) + parent.authorizes_object! + parent.authorize permission_1 + parent + end + + let(:resolver) do + simple_resolver(test_object, base_class: parent) + end + + include_examples 'authorization with a collection of permissions' + end + + context 'when the resolver is a subclass of one that authorizes the object, extra permission' do + let(:permission_object_one) { be_nil } + let(:permission_object_two) { be_nil } + let(:parent) do + parent = Class.new(Resolvers::BaseResolver) + parent.include(::Gitlab::Graphql::Authorize::AuthorizeResource) + parent.authorizes_object! + parent.authorize permission_1 + parent + end + + let(:resolver) do + resolver = simple_resolver(test_object, base_class: parent) + resolver.include(::Gitlab::Graphql::Authorize::AuthorizeResource) + resolver.authorize permission_2 + resolver + end + + context 'when the field does not define any permissions' do + let(:query_type) do + query_factory do |query| + query.field :item, type, + null: true, + resolver: resolver + end + end + + include_examples 'authorization with a collection of permissions' + end + end + context 'when the resolver does not authorize the object, but instead calls authorized_find!' do let(:permission_object_one) { test_object } let(:permission_object_two) { be_nil } |