Merge branch '57831-allow-graphql-scalar-fields-to-be-authorized' into 'master'

Allow GraphQL Scalar-fields to be authorized Closes #57831 See merge request gitlab-org/gitlab-ce!26338
author: Nick Thomas <nick@gitlab.com> 2019-04-04 17:12:43 +0000
committer: Nick Thomas <nick@gitlab.com> 2019-04-04 17:12:43 +0000
commit: a2d044bf97ec350019b2daebd962ab4901070818 (patch)
tree: a499e4701475e91c60e4b3bf7dc5ede8d5669f79 /spec/graphql
parent: 9946c23a32c13a2ac773a36c4f06ab85d62252db (diff)
parent: 6643b92b8807e2d59f36d676303b89ea01824f22 (diff)
download: gitlab-ce-a2d044bf97ec350019b2daebd962ab4901070818.tar.gz
1 files changed, 53 insertions, 0 deletions
diff --git a/spec/graphql/features/authorization_spec.rb b/spec/graphql/features/authorization_spec.rb
index f863c4444b8..00e31568a9e 100644
--- a/spec/graphql/features/authorization_spec.rb
+++ b/spec/graphql/features/authorization_spec.rb
@@ -75,6 +75,59 @@ describe 'Gitlab::Graphql::Authorization' do
     end
   end
 
+  describe 'Field authorizations when field is a built in type' do
+    let(:query_type) do
+      query_factory do |query|
+        query.field :object, type, null: true, resolve: ->(obj, args, ctx) { test_object }
+      end
+    end
+
+    describe 'with a single permission' do
+      let(:type) do
+        type_factory do |type|
+          type.field :name, GraphQL::STRING_TYPE, null: true, authorize: permission_single
+        end
+      end
+
+      it 'returns the protected field when user has permission' do
+        permit(permission_single)
+
+        expect(subject).to eq('name' => test_object.name)
+      end
+
+      it 'returns nil when user is not authorized' do
+        expect(subject).to eq('name' => nil)
+      end
+    end
+
+    describe 'with a collection of permissions' do
+      let(:type) do
+        permissions = permission_collection
+        type_factory do |type|
+          type.field :name, GraphQL::STRING_TYPE, null: true do
+            authorize permissions
+          end
+        end
+      end
+
+      it 'returns the protected field when user has all permissions' do
+        permit(*permission_collection)
+
+        expect(subject).to eq('name' => test_object.name)
+      end
+
+      it 'returns nil when user only has one of the permissions' do
+        permit(permission_collection.first)
+
+        expect(subject).to eq('name' => nil)
+      end
+
+      it 'returns nil when user only has none of the permissions' do
+        expect(subject).to eq('name' => nil)
+      end
+    end
+  end
+
   describe 'Type authorizations' do
     let(:query_type) do
       query_factory do |query|
author	Nick Thomas <nick@gitlab.com>	2019-04-04 17:12:43 +0000
committer	Nick Thomas <nick@gitlab.com>	2019-04-04 17:12:43 +0000
commit	a2d044bf97ec350019b2daebd962ab4901070818 (patch)
tree	a499e4701475e91c60e4b3bf7dc5ede8d5669f79 /spec/graphql
parent	9946c23a32c13a2ac773a36c4f06ab85d62252db (diff)
parent	6643b92b8807e2d59f36d676303b89ea01824f22 (diff)
download	gitlab-ce-a2d044bf97ec350019b2daebd962ab4901070818.tar.gz