4 files changed, 207 insertions, 14 deletions

diff --git a/spec/requests/api/graphql/project/issues_spec.rb b/spec/requests/api/graphql/project/issues_spec.rb
index 1c6d6ce4707..b3e91afb5b3 100644
--- a/spec/requests/api/graphql/project/issues_spec.rb
+++ b/spec/requests/api/graphql/project/issues_spec.rb
@@ -429,11 +429,11 @@ RSpec.describe 'getting an issue list for a project' do
     end
 
     it 'avoids N+1 queries' do
-      create(:contact, group_id: group.id, issues: [issue_a])
+      create(:issue_customer_relations_contact, :for_issue, issue: issue_a)
 
       control = ActiveRecord::QueryRecorder.new(skip_cached: false) { clean_state_query }
 
-      create(:contact, group_id: group.id, issues: [issue_a])
+      create(:issue_customer_relations_contact, :for_issue, issue: issue_a)
 
       expect { clean_state_query }.not_to exceed_all_query_limit(control)
     end
diff --git a/spec/requests/api/graphql/project/merge_request_spec.rb b/spec/requests/api/graphql/project/merge_request_spec.rb
index 438ea9bb4c1..353bf0356f6 100644
--- a/spec/requests/api/graphql/project/merge_request_spec.rb
+++ b/spec/requests/api/graphql/project/merge_request_spec.rb
@@ -347,7 +347,7 @@ RSpec.describe 'getting merge request information nested in a project' do
         expect(interaction_data).to contain_exactly a_hash_including(
           'canMerge' => false,
           'canUpdate' => can_update,
-          'reviewState' => unreviewed,
+          'reviewState' => attention_requested,
           'reviewed' => false,
           'approved' => false
         )
@@ -380,8 +380,8 @@ RSpec.describe 'getting merge request information nested in a project' do
     describe 'scalability' do
       let_it_be(:other_users) { create_list(:user, 3) }
 
-      let(:unreviewed) do
-        { 'reviewState' => 'UNREVIEWED' }
+      let(:attention_requested) do
+        { 'reviewState' => 'ATTENTION_REQUESTED' }
       end
 
       let(:reviewed) do
@@ -413,9 +413,9 @@ RSpec.describe 'getting merge request information nested in a project' do
           expect { post_graphql(query) }.not_to exceed_query_limit(baseline)
 
           expect(interaction_data).to contain_exactly(
-            include(unreviewed),
-            include(unreviewed),
-            include(unreviewed),
+            include(attention_requested),
+            include(attention_requested),
+            include(attention_requested),
             include(reviewed)
           )
         end
@@ -444,7 +444,7 @@ RSpec.describe 'getting merge request information nested in a project' do
 
   it_behaves_like 'when requesting information about MR interactions' do
     let(:field) { :reviewers }
-    let(:unreviewed) { 'UNREVIEWED' }
+    let(:attention_requested) { 'ATTENTION_REQUESTED' }
     let(:can_update) { false }
 
     def assign_user(user)
@@ -454,7 +454,7 @@ RSpec.describe 'getting merge request information nested in a project' do
 
   it_behaves_like 'when requesting information about MR interactions' do
     let(:field) { :assignees }
-    let(:unreviewed) { nil }
+    let(:attention_requested) { nil }
     let(:can_update) { true } # assignees can update MRs
 
     def assign_user(user)
diff --git a/spec/requests/api/graphql/project/release_spec.rb b/spec/requests/api/graphql/project/release_spec.rb
index 7f24d051457..77abac4ef04 100644
--- a/spec/requests/api/graphql/project/release_spec.rb
+++ b/spec/requests/api/graphql/project/release_spec.rb
@@ -228,6 +228,189 @@ RSpec.describe 'Query.project(fullPath).release(tagName)' do
     end
   end
 
+  shared_examples 'restricted access to release fields' do
+    describe 'scalar fields' do
+      let(:path) { path_prefix }
+
+      let(:release_fields) do
+        %{
+          tagName
+          tagPath
+          description
+          descriptionHtml
+          name
+          createdAt
+          releasedAt
+          upcomingRelease
+        }
+      end
+
+      before do
+        post_query
+      end
+
+      it 'finds all release data' do
+        expect(data).to eq({
+          'tagName' => release.tag,
+          'tagPath' => nil,
+          'description' => release.description,
+          'descriptionHtml' => release.description_html,
+          'name' => release.name,
+          'createdAt' => release.created_at.iso8601,
+          'releasedAt' => release.released_at.iso8601,
+          'upcomingRelease' => false
+        })
+      end
+    end
+
+    describe 'milestones' do
+      let(:path) { path_prefix + %w[milestones nodes] }
+
+      let(:release_fields) do
+        query_graphql_field(:milestones, nil, 'nodes { id title }')
+      end
+
+      it 'finds milestones associated to a release' do
+        post_query
+
+        expected = release.milestones.order_by_dates_and_title.map do |milestone|
+          { 'id' => global_id_of(milestone), 'title' => milestone.title }
+        end
+
+        expect(data).to eq(expected)
+      end
+    end
+
+    describe 'author' do
+      let(:path) { path_prefix + %w[author] }
+
+      let(:release_fields) do
+        query_graphql_field(:author, nil, 'id username')
+      end
+
+      it 'finds the author of the release' do
+        post_query
+
+        expect(data).to eq(
+          'id' => global_id_of(release.author),
+          'username' => release.author.username
+        )
+      end
+    end
+
+    describe 'commit' do
+      let(:path) { path_prefix + %w[commit] }
+
+      let(:release_fields) do
+        query_graphql_field(:commit, nil, 'sha')
+      end
+
+      it 'restricts commit associated with the release' do
+        post_query
+
+        expect(data).to eq(nil)
+      end
+    end
+
+    describe 'assets' do
+      describe 'count' do
+        let(:path) { path_prefix + %w[assets] }
+
+        let(:release_fields) do
+          query_graphql_field(:assets, nil, 'count')
+        end
+
+        it 'returns non source release links count' do
+          post_query
+
+          expect(data).to eq('count' => release.assets_count(except: [:sources]))
+        end
+      end
+
+      describe 'links' do
+        let(:path) { path_prefix + %w[assets links nodes] }
+
+        let(:release_fields) do
+          query_graphql_field(:assets, nil,
+            query_graphql_field(:links, nil, 'nodes { id name url external, directAssetUrl }'))
+        end
+
+        it 'finds all non source external release links' do
+          post_query
+
+          expected = release.links.map do |link|
+            {
+              'id' => global_id_of(link),
+              'name' => link.name,
+              'url' => link.url,
+              'external' => true,
+              'directAssetUrl' => link.filepath ? Gitlab::Routing.url_helpers.project_release_url(project, release) << "/downloads#{link.filepath}" : link.url
+            }
+          end
+
+          expect(data).to match_array(expected)
+        end
+      end
+
+      describe 'sources' do
+        let(:path) { path_prefix + %w[assets sources nodes] }
+
+        let(:release_fields) do
+          query_graphql_field(:assets, nil,
+            query_graphql_field(:sources, nil, 'nodes { format url }'))
+        end
+
+        it 'restricts release sources' do
+          post_query
+
+          expect(data).to match_array([])
+        end
+      end
+    end
+
+    describe 'links' do
+      let(:path) { path_prefix + %w[links] }
+
+      let(:release_fields) do
+        query_graphql_field(:links, nil, %{
+          selfUrl
+          openedMergeRequestsUrl
+          mergedMergeRequestsUrl
+          closedMergeRequestsUrl
+          openedIssuesUrl
+          closedIssuesUrl
+        })
+      end
+
+      it 'finds only selfUrl' do
+        post_query
+
+        expect(data).to eq(
+          'selfUrl' => project_release_url(project, release),
+          'openedMergeRequestsUrl' => nil,
+          'mergedMergeRequestsUrl' => nil,
+          'closedMergeRequestsUrl' => nil,
+          'openedIssuesUrl' => nil,
+          'closedIssuesUrl' => nil
+        )
+      end
+    end
+
+    describe 'evidences' do
+      let(:path) { path_prefix + %w[evidences] }
+
+      let(:release_fields) do
+        query_graphql_field(:evidences, nil, 'nodes { id sha filepath collectedAt }')
+      end
+
+      it 'restricts all evidence fields' do
+        post_query
+
+        expect(data).to eq('nodes' => [])
+      end
+    end
+  end
+
   shared_examples 'no access to the release field' do
     describe 'repository-related fields' do
       let(:path) { path_prefix }
@@ -302,7 +485,8 @@ RSpec.describe 'Query.project(fullPath).release(tagName)' do
       context 'when the user has Guest permissions' do
         let(:current_user) { guest }
 
-        it_behaves_like 'no access to the release field'
+        it_behaves_like 'restricted access to release fields'
+        it_behaves_like 'no access to editUrl'
       end
 
       context 'when the user has Reporter permissions' do
diff --git a/spec/requests/api/graphql/project/releases_spec.rb b/spec/requests/api/graphql/project/releases_spec.rb
index 2816ce90a6b..c28a6fa7666 100644
--- a/spec/requests/api/graphql/project/releases_spec.rb
+++ b/spec/requests/api/graphql/project/releases_spec.rb
@@ -129,10 +129,12 @@ RSpec.describe 'Query.project(fullPath).releases()' do
       end
 
       it 'does not return data for fields that expose repository information' do
+        tag_name = release.tag
+        release_name = release.name
         expect(data).to eq(
-          'tagName' => nil,
+          'tagName' => tag_name,
           'tagPath' => nil,
-          'name' => "Release-#{release.id}",
+          'name' => release_name,
           'commit' => nil,
           'assets' => {
             'count' => release.assets_count(except: [:sources]),
@@ -143,7 +145,14 @@ RSpec.describe 'Query.project(fullPath).releases()' do
           'evidences' => {
             'nodes' => []
           },
-          'links' => nil
+          'links' => {
+            'closedIssuesUrl' => nil,
+            'closedMergeRequestsUrl' => nil,
+            'mergedMergeRequestsUrl' => nil,
+            'openedIssuesUrl' => nil,
+            'openedMergeRequestsUrl' => nil,
+            'selfUrl' => project_release_url(project, release)
+          }
         )
       end
     end