Merge branch 'bvl-graphql-only-authorize-rendered-fields' into 'master'

Only check abilities on rendered GraphQL nodes

Closes #58647 and #60355

See merge request gitlab-org/gitlab-ce!27273

1 files changed, 26 insertions, 2 deletions

diff --git a/spec/requests/api/graphql/project/issues_spec.rb b/spec/requests/api/graphql/project/issues_spec.rb
index c2934430821..4f9f916f22e 100644
--- a/spec/requests/api/graphql/project/issues_spec.rb
+++ b/spec/requests/api/graphql/project/issues_spec.rb
@@ -7,8 +7,8 @@ describe 'getting an issue list for a project' do
   let(:current_user) { create(:user) }
   let(:issues_data) { graphql_data['project']['issues']['edges'] }
   let!(:issues) do
-    create(:issue, project: project, discussion_locked: true)
-    create(:issue, project: project)
+    [create(:issue, project: project, discussion_locked: true),
+     create(:issue, project: project)]
   end
   let(:fields) do
     <<~QUERY
@@ -47,6 +47,30 @@ describe 'getting an issue list for a project' do
     expect(issues_data[1]['node']['discussionLocked']).to eq true
   end
 
+  context 'when limiting the number of results' do
+    let(:query) do
+      graphql_query_for(
+        'project',
+        { 'fullPath' => project.full_path },
+        "issues(first: 1) { #{fields} }"
+      )
+    end
+
+    it_behaves_like 'a working graphql query' do
+      before do
+        post_graphql(query, current_user: current_user)
+      end
+    end
+
+    it "is expected to check permissions on the first issue only" do
+      allow(Ability).to receive(:allowed?).and_call_original
+      # Newest first, we only want to see the newest checked
+      expect(Ability).not_to receive(:allowed?).with(current_user, :read_issue, issues.first)
+
+      post_graphql(query, current_user: current_user)
+    end
+  end
+
   context 'when the user does not have access to the issue' do
     it 'returns nil' do
       project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)