Merge branch 'dcouture-graphql-permission-test' into 'master'

Add shared examples for GraphQL permission testing See merge request gitlab-org/gitlab!44796

Merge branch 'dcouture-graphql-permission-test' into 'master'
Add shared examples for GraphQL permission testing See merge request gitlab-org/gitlab!44796
19599c16 · Nick Thomas · af1dacb3 · e5af6361 · 19599c16 · 19599c16
Commit 19599c16 authored Oct 26, 2020 by Nick Thomas
21 changed files
--- a/ee/spec/graphql/mutations/epics/add_issue_spec.rb
+++ b/ee/spec/graphql/mutations/epics/add_issue_spec.rb
@@ -21,9 +21,7 @@ RSpec.describe Mutations::Epics::AddIssue do
      )
    end

-    it 'raises an error if the resource is not accessible to the user' do
-      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-    end
+    it_behaves_like 'permission level for epic mutation is correctly verified'

    context 'when the user can update the epic' do
      before do

--- a/ee/spec/graphql/mutations/epics/update_spec.rb
+++ b/ee/spec/graphql/mutations/epics/update_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Mutations::Epics::Update do
+  let_it_be(:group) { create(:group) }
+  let_it_be(:project) { create(:project, namespace: group) }
+  let_it_be(:epic) { create(:epic, group: group) }
+
+  let_it_be(:user) { create(:user) }
+  let_it_be(:issue) { create(:issue, project: project) }
+
+  subject(:mutation) { described_class.new(object: group, context: { current_user: user }, field: nil) }
+
+  describe '#resolve' do
+    subject { mutation.resolve(group_path: group.full_path, iid: epic.iid, title: 'new epic title') }
+
+    it_behaves_like 'permission level for epic mutation is correctly verified'
+  end
+end
--- a/ee/spec/graphql/mutations/issues/set_epic_spec.rb
+++ b/ee/spec/graphql/mutations/issues/set_epic_spec.rb
@@ -16,9 +16,7 @@ RSpec.describe Mutations::Issues::SetEpic do

    subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, epic: epic) }

-    it 'raises an error if the resource is not accessible to the user' do
-      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-    end
+    it_behaves_like 'permission level for issue mutation is correctly verified', true

    context 'when the user can update the issue' do
      before do

--- a/ee/spec/graphql/mutations/issues/set_iteration_spec.rb
+++ b/ee/spec/graphql/mutations/issues/set_iteration_spec.rb
@@ -14,9 +14,7 @@ RSpec.describe Mutations::Issues::SetIteration do

    subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, iteration: iteration) }

-    it 'raises an error if the resource is not accessible to the user' do
-      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-    end
+    it_behaves_like 'permission level for issue mutation is correctly verified'

    context 'when the user can update the issue' do
      before do

--- a/ee/spec/graphql/mutations/issues/set_weight_spec.rb
+++ b/ee/spec/graphql/mutations/issues/set_weight_spec.rb
@@ -13,9 +13,7 @@ RSpec.describe Mutations::Issues::SetWeight do

    subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, weight: weight) }

-    it 'raises an error if the resource is not accessible to the user' do
-      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-    end
+    it_behaves_like 'permission level for issue mutation is correctly verified'

    context 'when the user can update the issue' do
      before do

--- a/ee/spec/support/shared_examples/graphql/mutations/epics/permission_check_shared_examples.rb
+++ b/ee/spec/support/shared_examples/graphql/mutations/epics/permission_check_shared_examples.rb
+# frozen_string_literal: true
+
+RSpec.shared_examples 'permission level for epic mutation is correctly verified' do
+  before do
+    stub_licensed_features(epics: true)
+  end
+
+  shared_examples_for 'when the user does not have access to the resource' do
+    it 'raises an error' do
+      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+    end
+
+    context 'even if author of the epic' do
+      before do
+        epic.author = user
+      end
+
+      it 'raises an error' do
+        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+      end
+    end
+
+    context 'even if assigned to the issue' do
+      before do
+        issue.assignees.push(user)
+      end
+
+      it 'raises an error' do
+        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+      end
+    end
+
+    context 'even if author of the issue' do
+      before do
+        issue.author = user
+      end
+
+      it 'raises an error' do
+        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+      end
+    end
+
+    context 'even if maintainer of the project' do
+      before do
+        project.add_maintainer(user)
+      end
+
+      it 'raises an error' do
+        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+      end
+    end
+  end
+
+  context 'when the user is not a group member' do
+    it_behaves_like 'when the user does not have access to the resource'
+  end
+
+  context 'when the user is a group member' do
+    context 'with guest role' do
+      before do
+        group.add_guest(user)
+      end
+
+      it_behaves_like 'when the user does not have access to the resource'
+    end
+  end
+end
--- a/ee/spec/support/shared_examples/graphql/mutations/update_health_status_shared_examples.rb
+++ b/ee/spec/support/shared_examples/graphql/mutations/update_health_status_shared_examples.rb
@@ -16,10 +16,6 @@ RSpec.shared_examples 'updating health status' do

  subject { mutation.resolve(params) }

-  it 'raises an error if the resource is not accessible to the user' do
-    expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-  end
-
  context 'when the user has permission' do
    before do
      resource.resource_parent.add_developer(user)

--- a/spec/graphql/mutations/issues/set_assignees_spec.rb
+++ b/spec/graphql/mutations/issues/set_assignees_spec.rb
@@ -3,6 +3,20 @@
 require 'spec_helper'

 RSpec.describe Mutations::Issues::SetAssignees do
+  context 'when the user does not have permissions' do
+    let_it_be(:issue) { create(:issue) }
+    let_it_be(:user) { create(:user) }
+    let_it_be(:assignee) { create(:user) }
+
+    subject(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) }
+
+    describe '#resolve' do
+      subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, assignee_usernames: [assignee.username]) }
+
+      it_behaves_like 'permission level for issue mutation is correctly verified'
+    end
+  end
+
  it_behaves_like 'an assignable resource' do
    let_it_be(:resource, reload: true) { create(:issue) }
  end

--- a/spec/graphql/mutations/issues/set_confidential_spec.rb
+++ b/spec/graphql/mutations/issues/set_confidential_spec.rb
@@ -17,9 +17,7 @@ RSpec.describe Mutations::Issues::SetConfidential do

    subject { mutation.resolve(project_path: project.full_path, iid: issue.iid, confidential: confidential) }

-    it 'raises an error if the resource is not accessible to the user' do
-      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-    end
+    it_behaves_like 'permission level for issue mutation is correctly verified'

    context 'when the user can update the issue' do
      before do

--- a/spec/graphql/mutations/issues/set_due_date_spec.rb
+++ b/spec/graphql/mutations/issues/set_due_date_spec.rb
@@ -16,9 +16,7 @@ RSpec.describe Mutations::Issues::SetDueDate do

    subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, due_date: due_date) }

-    it 'raises an error if the resource is not accessible to the user' do
-      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-    end
+    it_behaves_like 'permission level for issue mutation is correctly verified'

    context 'when the user can update the issue' do
      before do

--- a/spec/graphql/mutations/issues/set_locked_spec.rb
+++ b/spec/graphql/mutations/issues/set_locked_spec.rb
@@ -15,9 +15,7 @@ RSpec.describe Mutations::Issues::SetLocked do

    subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, locked: locked) }

-    it 'raises an error if the resource is not accessible to the user' do
-      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-    end
+    it_behaves_like 'permission level for issue mutation is correctly verified'

    context 'when the user can update the issue' do
      let(:mutated_issue) { subject[:issue] }

--- a/spec/graphql/mutations/issues/set_severity_spec.rb
+++ b/spec/graphql/mutations/issues/set_severity_spec.rb
@@ -15,11 +15,7 @@ RSpec.describe Mutations::Issues::SetSeverity do

    subject(:resolve) { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, severity: severity) }

-    context 'when the user cannot update the issue' do
-      it 'raises an error' do
-        expect { resolve }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-      end
-    end
+    it_behaves_like 'permission level for issue mutation is correctly verified'

    context 'when the user can update the issue' do
      before do

--- a/spec/graphql/mutations/issues/update_spec.rb
+++ b/spec/graphql/mutations/issues/update_spec.rb
@@ -35,11 +35,7 @@ RSpec.describe Mutations::Issues::Update do

    subject { mutation.resolve(mutation_params) }

-    context 'when the user cannot access the issue' do
-      it 'raises an error' do
-        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-      end
-    end
+    it_behaves_like 'permission level for issue mutation is correctly verified'

    context 'when the user can update the issue' do
      before do

--- a/spec/graphql/mutations/merge_requests/set_assignees_spec.rb
+++ b/spec/graphql/mutations/merge_requests/set_assignees_spec.rb
@@ -3,6 +3,20 @@
 require 'spec_helper'

 RSpec.describe Mutations::MergeRequests::SetAssignees do
+  context 'when the user does not have permissions' do
+    let_it_be(:merge_request) { create(:merge_request) }
+    let_it_be(:user) { create(:user) }
+    let_it_be(:assignee) { create(:user) }
+
+    subject(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) }
+
+    describe '#resolve' do
+      subject { mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, assignee_usernames: [assignee.username]) }
+
+      it_behaves_like 'permission level for merge request mutation is correctly verified'
+    end
+  end
+
  it_behaves_like 'an assignable resource' do
    let_it_be(:resource, reload: true) { create(:merge_request) }
  end

--- a/spec/graphql/mutations/merge_requests/set_labels_spec.rb
+++ b/spec/graphql/mutations/merge_requests/set_labels_spec.rb
@@ -18,9 +18,7 @@ RSpec.describe Mutations::MergeRequests::SetLabels do

    subject { mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, label_ids: label_ids) }

-    it 'raises an error if the resource is not accessible to the user' do
-      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-    end
+    it_behaves_like 'permission level for merge request mutation is correctly verified'

    context 'when the user can update the merge request' do
      before do

--- a/spec/graphql/mutations/merge_requests/set_locked_spec.rb
+++ b/spec/graphql/mutations/merge_requests/set_locked_spec.rb
@@ -16,9 +16,7 @@ RSpec.describe Mutations::MergeRequests::SetLocked do

    subject { mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, locked: locked) }

-    it 'raises an error if the resource is not accessible to the user' do
-      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-    end
+    it_behaves_like 'permission level for merge request mutation is correctly verified'

    context 'when the user can update the merge request' do
      before do

--- a/spec/graphql/mutations/merge_requests/set_milestone_spec.rb
+++ b/spec/graphql/mutations/merge_requests/set_milestone_spec.rb
@@ -18,6 +18,8 @@ RSpec.describe Mutations::MergeRequests::SetMilestone do
      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
    end

+    it_behaves_like 'permission level for merge request mutation is correctly verified'
+
    context 'when the user can update the merge request' do
      before do
        project.add_developer(user)

--- a/spec/graphql/mutations/merge_requests/set_wip_spec.rb
+++ b/spec/graphql/mutations/merge_requests/set_wip_spec.rb
@@ -16,9 +16,7 @@ RSpec.describe Mutations::MergeRequests::SetWip do

    subject { mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, wip: wip) }

-    it 'raises an error if the resource is not accessible to the user' do
-      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-    end
+    it_behaves_like 'permission level for merge request mutation is correctly verified'

    context 'when the user can update the merge request' do
      before do

--- a/spec/graphql/mutations/merge_requests/update_spec.rb
+++ b/spec/graphql/mutations/merge_requests/update_spec.rb
@@ -18,9 +18,7 @@ RSpec.describe Mutations::MergeRequests::Update do
      mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, **attributes)
    end

-    it 'raises an error if the resource is not accessible to the user' do
-      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-    end
+    it_behaves_like 'permission level for merge request mutation is correctly verified'

    context 'when the user can update the merge request' do
      before do

--- a/spec/support/shared_examples/graphql/mutations/issues/permission_check_shared_examples.rb
+++ b/spec/support/shared_examples/graphql/mutations/issues/permission_check_shared_examples.rb
+# frozen_string_literal: true
+
+RSpec.shared_examples 'permission level for issue mutation is correctly verified' do |raises_for_all_errors = false|
+  before do
+    issue.assignees = []
+    issue.author = user
+  end
+
+  shared_examples_for 'when the user does not have access to the resource' do |raise_for_assigned|
+    it 'raises an error' do
+      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+    end
+
+    context 'even if assigned to the issue' do
+      before do
+        issue.assignees.push(user)
+      end
+
+      it 'does not modify issue' do
+        if raises_for_all_errors || raise_for_assigned
+          expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+        else
+          expect(subject[:issue]).to eq issue
+        end
+      end
+    end
+
+    context 'even if author of the issue' do
+      before do
+        issue.author = user
+      end
+
+      it 'raises an error' do
+        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+      end
+    end
+  end
+
+  context 'when the user is not a project member' do
+    it_behaves_like 'when the user does not have access to the resource', true
+  end
+
+  context 'when the user is a project member' do
+    context 'with guest role' do
+      before do
+        issue.project.add_guest(user)
+      end
+
+      it_behaves_like 'when the user does not have access to the resource', false
+    end
+  end
+end
--- a/spec/support/shared_examples/graphql/mutations/merge_requests/permission_check_shared_examples.rb
+++ b/spec/support/shared_examples/graphql/mutations/merge_requests/permission_check_shared_examples.rb
+# frozen_string_literal: true
+
+RSpec.shared_examples 'permission level for merge request mutation is correctly verified' do
+  before do
+    merge_request.assignees = []
+    merge_request.reviewers = []
+    merge_request.author = nil
+  end
+
+  shared_examples_for 'when the user does not have access to the resource' do |raise_for_assigned|
+    it 'raises an error' do
+      expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+    end
+
+    context 'even if assigned to the merge request' do
+      before do
+        merge_request.assignees.push(user)
+      end
+
+      it 'does not modify merge request' do
+        if raise_for_assigned
+          expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+        else
+          # In some cases we simply do nothing instead of raising
+          # https://gitlab.com/gitlab-org/gitlab/-/issues/196241
+          expect(subject[:merge_request]).to eq merge_request
+        end
+      end
+    end
+
+    context 'even if reviewer of the merge request' do
+      before do
+        merge_request.reviewers.push(user)
+      end
+
+      it 'raises an error' do
+        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+      end
+    end
+
+    context 'even if author of the merge request' do
+      before do
+        merge_request.author = user
+      end
+
+      it 'raises an error' do
+        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+      end
+    end
+  end
+
+  context 'when the user is not a project member' do
+    it_behaves_like 'when the user does not have access to the resource', true
+  end
+
+  context 'when the user is a project member' do
+    context 'with guest role' do
+      before do
+        merge_request.project.add_guest(user)
+      end
+
+      it_behaves_like 'when the user does not have access to the resource', true
+    end
+
+    context 'with reporter role' do
+      before do
+        merge_request.project.add_reporter(user)
+      end
+
+      it_behaves_like 'when the user does not have access to the resource', false
+    end
+  end
+end