spec/lib/gitlab/graphql/authorize/authorize_field_service_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

# frozen_string_literal: true

require 'spec_helper'

# Also see spec/graphql/features/authorization_spec.rb for
# integration tests of AuthorizeFieldService
describe Gitlab::Graphql::Authorize::AuthorizeFieldService do
  describe '#build_checker' do
    let(:current_user) { double(:current_user) }
    let(:abilities) { [double(:first_ability), double(:last_ability)] }

    context 'when authorizing against the object' do
      let(:checker) do
        service = described_class.new(double(resolve_proc: proc {}))
        allow(service).to receive(:authorizations).and_return(abilities)
        service.__send__(:build_checker, current_user, nil)
      end

      it 'returns a checker which checks for a single object' do
        object = double(:object)

        abilities.each do |ability|
          spy_ability_check_for(ability, object, passed: true)
        end

        expect(checker.call(object)).to eq(object)
      end

      it 'returns a checker which checks for all objects' do
        objects = [double(:first), double(:last)]

        abilities.each do |ability|
          objects.each do |object|
            spy_ability_check_for(ability, object, passed: true)
          end
        end

        expect(checker.call(objects)).to eq(objects)
      end

      context 'when some objects would not pass the check' do
        it 'returns nil when it is single object' do
          disallowed = double(:object)

          spy_ability_check_for(abilities.first, disallowed, passed: false)

          expect(checker.call(disallowed)).to be_nil
        end

        it 'returns only objects which passed when there are more than one' do
          allowed = double(:allowed)
          disallowed = double(:disallowed)

          spy_ability_check_for(abilities.first, disallowed, passed: false)

          abilities.each do |ability|
            spy_ability_check_for(ability, allowed, passed: true)
          end

          expect(checker.call([disallowed, allowed])).to contain_exactly(allowed)
        end
      end
    end

    context 'when authorizing against another object' do
      let(:authorizing_obj) { double(:object) }

      let(:checker) do
        service = described_class.new(double(resolve_proc: proc {}))
        allow(service).to receive(:authorizations).and_return(abilities)
        service.__send__(:build_checker, current_user, authorizing_obj)
      end

      it 'returns a checker which checks for a single object' do
        object = double(:object)

        abilities.each do |ability|
          spy_ability_check_for(ability, authorizing_obj, passed: true)
        end

        expect(checker.call(object)).to eq(object)
      end

      it 'returns a checker which checks for all objects' do
        objects = [double(:first), double(:last)]

        abilities.each do |ability|
          objects.each do |object|
            spy_ability_check_for(ability, authorizing_obj, passed: true)
          end
        end

        expect(checker.call(objects)).to eq(objects)
      end
    end
  end

  private

  def spy_ability_check_for(ability, object, passed: true)
    expect(Ability)
      .to receive(:allowed?)
      .with(current_user, ability, object)
      .and_return(passed)
  end
end