1 files changed, 61 insertions, 15 deletions

diff --git a/spec/graphql/features/authorization_spec.rb b/spec/graphql/features/authorization_spec.rb
index 514f63a6f5a..4f8ae92ff99 100644
--- a/spec/graphql/features/authorization_spec.rb
+++ b/spec/graphql/features/authorization_spec.rb
@@ -10,17 +10,14 @@ RSpec.describe 'DeclarativePolicy authorization in GraphQL ' do
 
   let(:permission_single) { :foo }
   let(:permission_collection) { [:foo, :bar] }
-  let(:test_object) { double(name: 'My name') }
+  let(:test_object) { double(name: 'My name', address: 'Worldwide') }
   let(:authorizing_object) { test_object }
   # to override when combining permissions
   let(:permission_object_one) { authorizing_object }
   let(:permission_object_two) { authorizing_object }
 
   let(:query_string) { '{ item { name } }' }
-  let(:result) do
-    schema = empty_schema
-    execute_query(query_type, schema: schema)
-  end
+  let(:result) { execute_query(query_type) }
 
   subject { result.dig('data', 'item') }
 
@@ -103,47 +100,47 @@ RSpec.describe 'DeclarativePolicy authorization in GraphQL ' do
     end
 
     describe 'with a single permission' do
+      let(:query_string) { '{ item { name address } }' }
       let(:type) do
         type_factory do |type|
-          type.field :name, GraphQL::Types::String, null: true, authorize: permission_single
+          type.field :address, GraphQL::Types::String, null: true, authorize: permission_single
         end
       end
 
       it 'returns the protected field when user has permission' do
         permit(permission_single)
 
-        expect(subject).to eq('name' => test_object.name)
+        expect(subject).to include('address' => test_object.address)
       end
 
       it 'returns nil when user is not authorized' do
-        expect(subject).to eq('name' => nil)
+        expect(subject).to include('address' => nil)
       end
     end
 
     describe 'with a collection of permissions' do
+      let(:query_string) { '{ item { name address } }' }
       let(:type) do
         permissions = permission_collection
         type_factory do |type|
-          type.field :name, GraphQL::Types::String,
-                     null: true,
-                     authorize: permissions
+          type.field :address, GraphQL::Types::String, null: true, authorize: permissions
         end
       end
 
       it 'returns the protected field when user has all permissions' do
         permit(*permission_collection)
 
-        expect(subject).to eq('name' => test_object.name)
+        expect(subject).to include('address' => test_object.address)
       end
 
       it 'returns nil when user only has one of the permissions' do
         permit(permission_collection.first)
 
-        expect(subject).to eq('name' => nil)
+        expect(subject).to include('address' => nil)
       end
 
       it 'returns nil when user only has none of the permissions' do
-        expect(subject).to eq('name' => nil)
+        expect(subject).to include('address' => nil)
       end
     end
   end
@@ -179,7 +176,7 @@ RSpec.describe 'DeclarativePolicy authorization in GraphQL ' do
   describe 'type and field authorizations together' do
     let(:authorizing_object) { anything }
     let(:permission_1) { permission_collection.first }
-    let(:permission_2) { permission_collection.last }
+    let(:permission_2) { permission_collection.second }
 
     let(:type) do
       type_factory do |type|
@@ -224,6 +221,55 @@ RSpec.describe 'DeclarativePolicy authorization in GraphQL ' do
       include_examples 'authorization with a collection of permissions'
     end
 
+    context 'when the resolver is a subclass of one that authorizes the object' do
+      let(:permission_object_one) { be_nil }
+      let(:permission_object_two) { be_nil }
+      let(:parent) do
+        parent = Class.new(Resolvers::BaseResolver)
+        parent.include(::Gitlab::Graphql::Authorize::AuthorizeResource)
+        parent.authorizes_object!
+        parent.authorize permission_1
+        parent
+      end
+
+      let(:resolver) do
+        simple_resolver(test_object, base_class: parent)
+      end
+
+      include_examples 'authorization with a collection of permissions'
+    end
+
+    context 'when the resolver is a subclass of one that authorizes the object, extra permission' do
+      let(:permission_object_one) { be_nil }
+      let(:permission_object_two) { be_nil }
+      let(:parent) do
+        parent = Class.new(Resolvers::BaseResolver)
+        parent.include(::Gitlab::Graphql::Authorize::AuthorizeResource)
+        parent.authorizes_object!
+        parent.authorize permission_1
+        parent
+      end
+
+      let(:resolver) do
+        resolver = simple_resolver(test_object, base_class: parent)
+        resolver.include(::Gitlab::Graphql::Authorize::AuthorizeResource)
+        resolver.authorize permission_2
+        resolver
+      end
+
+      context 'when the field does not define any permissions' do
+        let(:query_type) do
+          query_factory do |query|
+            query.field :item, type,
+                        null: true,
+                        resolver: resolver
+          end
+        end
+
+        include_examples 'authorization with a collection of permissions'
+      end
+    end
+
     context 'when the resolver does not authorize the object, but instead calls authorized_find!' do
       let(:permission_object_one) { test_object }
       let(:permission_object_two) { be_nil }