Commit 19599c16 authored by Nick Thomas's avatar Nick Thomas

Merge branch 'dcouture-graphql-permission-test' into 'master'

Add shared examples for GraphQL permission testing

See merge request gitlab-org/gitlab!44796
parents af1dacb3 e5af6361
...@@ -21,9 +21,7 @@ RSpec.describe Mutations::Epics::AddIssue do ...@@ -21,9 +21,7 @@ RSpec.describe Mutations::Epics::AddIssue do
) )
end end
it 'raises an error if the resource is not accessible to the user' do it_behaves_like 'permission level for epic mutation is correctly verified'
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'when the user can update the epic' do context 'when the user can update the epic' do
before do before do
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Mutations::Epics::Update do
let_it_be(:group) { create(:group) }
let_it_be(:project) { create(:project, namespace: group) }
let_it_be(:epic) { create(:epic, group: group) }
let_it_be(:user) { create(:user) }
let_it_be(:issue) { create(:issue, project: project) }
subject(:mutation) { described_class.new(object: group, context: { current_user: user }, field: nil) }
describe '#resolve' do
subject { mutation.resolve(group_path: group.full_path, iid: epic.iid, title: 'new epic title') }
it_behaves_like 'permission level for epic mutation is correctly verified'
end
end
...@@ -16,9 +16,7 @@ RSpec.describe Mutations::Issues::SetEpic do ...@@ -16,9 +16,7 @@ RSpec.describe Mutations::Issues::SetEpic do
subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, epic: epic) } subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, epic: epic) }
it 'raises an error if the resource is not accessible to the user' do it_behaves_like 'permission level for issue mutation is correctly verified', true
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'when the user can update the issue' do context 'when the user can update the issue' do
before do before do
......
...@@ -14,9 +14,7 @@ RSpec.describe Mutations::Issues::SetIteration do ...@@ -14,9 +14,7 @@ RSpec.describe Mutations::Issues::SetIteration do
subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, iteration: iteration) } subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, iteration: iteration) }
it 'raises an error if the resource is not accessible to the user' do it_behaves_like 'permission level for issue mutation is correctly verified'
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'when the user can update the issue' do context 'when the user can update the issue' do
before do before do
......
...@@ -13,9 +13,7 @@ RSpec.describe Mutations::Issues::SetWeight do ...@@ -13,9 +13,7 @@ RSpec.describe Mutations::Issues::SetWeight do
subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, weight: weight) } subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, weight: weight) }
it 'raises an error if the resource is not accessible to the user' do it_behaves_like 'permission level for issue mutation is correctly verified'
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'when the user can update the issue' do context 'when the user can update the issue' do
before do before do
......
# frozen_string_literal: true
RSpec.shared_examples 'permission level for epic mutation is correctly verified' do
before do
stub_licensed_features(epics: true)
end
shared_examples_for 'when the user does not have access to the resource' do
it 'raises an error' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'even if author of the epic' do
before do
epic.author = user
end
it 'raises an error' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'even if assigned to the issue' do
before do
issue.assignees.push(user)
end
it 'raises an error' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'even if author of the issue' do
before do
issue.author = user
end
it 'raises an error' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'even if maintainer of the project' do
before do
project.add_maintainer(user)
end
it 'raises an error' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
end
context 'when the user is not a group member' do
it_behaves_like 'when the user does not have access to the resource'
end
context 'when the user is a group member' do
context 'with guest role' do
before do
group.add_guest(user)
end
it_behaves_like 'when the user does not have access to the resource'
end
end
end
...@@ -16,10 +16,6 @@ RSpec.shared_examples 'updating health status' do ...@@ -16,10 +16,6 @@ RSpec.shared_examples 'updating health status' do
subject { mutation.resolve(params) } subject { mutation.resolve(params) }
it 'raises an error if the resource is not accessible to the user' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'when the user has permission' do context 'when the user has permission' do
before do before do
resource.resource_parent.add_developer(user) resource.resource_parent.add_developer(user)
......
...@@ -3,6 +3,20 @@ ...@@ -3,6 +3,20 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe Mutations::Issues::SetAssignees do RSpec.describe Mutations::Issues::SetAssignees do
context 'when the user does not have permissions' do
let_it_be(:issue) { create(:issue) }
let_it_be(:user) { create(:user) }
let_it_be(:assignee) { create(:user) }
subject(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) }
describe '#resolve' do
subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, assignee_usernames: [assignee.username]) }
it_behaves_like 'permission level for issue mutation is correctly verified'
end
end
it_behaves_like 'an assignable resource' do it_behaves_like 'an assignable resource' do
let_it_be(:resource, reload: true) { create(:issue) } let_it_be(:resource, reload: true) { create(:issue) }
end end
......
...@@ -17,9 +17,7 @@ RSpec.describe Mutations::Issues::SetConfidential do ...@@ -17,9 +17,7 @@ RSpec.describe Mutations::Issues::SetConfidential do
subject { mutation.resolve(project_path: project.full_path, iid: issue.iid, confidential: confidential) } subject { mutation.resolve(project_path: project.full_path, iid: issue.iid, confidential: confidential) }
it 'raises an error if the resource is not accessible to the user' do it_behaves_like 'permission level for issue mutation is correctly verified'
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'when the user can update the issue' do context 'when the user can update the issue' do
before do before do
......
...@@ -16,9 +16,7 @@ RSpec.describe Mutations::Issues::SetDueDate do ...@@ -16,9 +16,7 @@ RSpec.describe Mutations::Issues::SetDueDate do
subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, due_date: due_date) } subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, due_date: due_date) }
it 'raises an error if the resource is not accessible to the user' do it_behaves_like 'permission level for issue mutation is correctly verified'
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'when the user can update the issue' do context 'when the user can update the issue' do
before do before do
......
...@@ -15,9 +15,7 @@ RSpec.describe Mutations::Issues::SetLocked do ...@@ -15,9 +15,7 @@ RSpec.describe Mutations::Issues::SetLocked do
subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, locked: locked) } subject { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, locked: locked) }
it 'raises an error if the resource is not accessible to the user' do it_behaves_like 'permission level for issue mutation is correctly verified'
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'when the user can update the issue' do context 'when the user can update the issue' do
let(:mutated_issue) { subject[:issue] } let(:mutated_issue) { subject[:issue] }
......
...@@ -15,11 +15,7 @@ RSpec.describe Mutations::Issues::SetSeverity do ...@@ -15,11 +15,7 @@ RSpec.describe Mutations::Issues::SetSeverity do
subject(:resolve) { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, severity: severity) } subject(:resolve) { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, severity: severity) }
context 'when the user cannot update the issue' do it_behaves_like 'permission level for issue mutation is correctly verified'
it 'raises an error' do
expect { resolve }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'when the user can update the issue' do context 'when the user can update the issue' do
before do before do
......
...@@ -35,11 +35,7 @@ RSpec.describe Mutations::Issues::Update do ...@@ -35,11 +35,7 @@ RSpec.describe Mutations::Issues::Update do
subject { mutation.resolve(mutation_params) } subject { mutation.resolve(mutation_params) }
context 'when the user cannot access the issue' do it_behaves_like 'permission level for issue mutation is correctly verified'
it 'raises an error' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'when the user can update the issue' do context 'when the user can update the issue' do
before do before do
......
...@@ -3,6 +3,20 @@ ...@@ -3,6 +3,20 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe Mutations::MergeRequests::SetAssignees do RSpec.describe Mutations::MergeRequests::SetAssignees do
context 'when the user does not have permissions' do
let_it_be(:merge_request) { create(:merge_request) }
let_it_be(:user) { create(:user) }
let_it_be(:assignee) { create(:user) }
subject(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) }
describe '#resolve' do
subject { mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, assignee_usernames: [assignee.username]) }
it_behaves_like 'permission level for merge request mutation is correctly verified'
end
end
it_behaves_like 'an assignable resource' do it_behaves_like 'an assignable resource' do
let_it_be(:resource, reload: true) { create(:merge_request) } let_it_be(:resource, reload: true) { create(:merge_request) }
end end
......
...@@ -18,9 +18,7 @@ RSpec.describe Mutations::MergeRequests::SetLabels do ...@@ -18,9 +18,7 @@ RSpec.describe Mutations::MergeRequests::SetLabels do
subject { mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, label_ids: label_ids) } subject { mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, label_ids: label_ids) }
it 'raises an error if the resource is not accessible to the user' do it_behaves_like 'permission level for merge request mutation is correctly verified'
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'when the user can update the merge request' do context 'when the user can update the merge request' do
before do before do
......
...@@ -16,9 +16,7 @@ RSpec.describe Mutations::MergeRequests::SetLocked do ...@@ -16,9 +16,7 @@ RSpec.describe Mutations::MergeRequests::SetLocked do
subject { mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, locked: locked) } subject { mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, locked: locked) }
it 'raises an error if the resource is not accessible to the user' do it_behaves_like 'permission level for merge request mutation is correctly verified'
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'when the user can update the merge request' do context 'when the user can update the merge request' do
before do before do
......
...@@ -18,6 +18,8 @@ RSpec.describe Mutations::MergeRequests::SetMilestone do ...@@ -18,6 +18,8 @@ RSpec.describe Mutations::MergeRequests::SetMilestone do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable) expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end end
it_behaves_like 'permission level for merge request mutation is correctly verified'
context 'when the user can update the merge request' do context 'when the user can update the merge request' do
before do before do
project.add_developer(user) project.add_developer(user)
......
...@@ -16,9 +16,7 @@ RSpec.describe Mutations::MergeRequests::SetWip do ...@@ -16,9 +16,7 @@ RSpec.describe Mutations::MergeRequests::SetWip do
subject { mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, wip: wip) } subject { mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, wip: wip) }
it 'raises an error if the resource is not accessible to the user' do it_behaves_like 'permission level for merge request mutation is correctly verified'
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'when the user can update the merge request' do context 'when the user can update the merge request' do
before do before do
......
...@@ -18,9 +18,7 @@ RSpec.describe Mutations::MergeRequests::Update do ...@@ -18,9 +18,7 @@ RSpec.describe Mutations::MergeRequests::Update do
mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, **attributes) mutation.resolve(project_path: merge_request.project.full_path, iid: merge_request.iid, **attributes)
end end
it 'raises an error if the resource is not accessible to the user' do it_behaves_like 'permission level for merge request mutation is correctly verified'
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'when the user can update the merge request' do context 'when the user can update the merge request' do
before do before do
......
# frozen_string_literal: true
RSpec.shared_examples 'permission level for issue mutation is correctly verified' do |raises_for_all_errors = false|
before do
issue.assignees = []
issue.author = user
end
shared_examples_for 'when the user does not have access to the resource' do |raise_for_assigned|
it 'raises an error' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'even if assigned to the issue' do
before do
issue.assignees.push(user)
end
it 'does not modify issue' do
if raises_for_all_errors || raise_for_assigned
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
else
expect(subject[:issue]).to eq issue
end
end
end
context 'even if author of the issue' do
before do
issue.author = user
end
it 'raises an error' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
end
context 'when the user is not a project member' do
it_behaves_like 'when the user does not have access to the resource', true
end
context 'when the user is a project member' do
context 'with guest role' do
before do
issue.project.add_guest(user)
end
it_behaves_like 'when the user does not have access to the resource', false
end
end
end
# frozen_string_literal: true
RSpec.shared_examples 'permission level for merge request mutation is correctly verified' do
before do
merge_request.assignees = []
merge_request.reviewers = []
merge_request.author = nil
end
shared_examples_for 'when the user does not have access to the resource' do |raise_for_assigned|
it 'raises an error' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
context 'even if assigned to the merge request' do
before do
merge_request.assignees.push(user)
end
it 'does not modify merge request' do
if raise_for_assigned
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
else
# In some cases we simply do nothing instead of raising
# https://gitlab.com/gitlab-org/gitlab/-/issues/196241
expect(subject[:merge_request]).to eq merge_request
end
end
end
context 'even if reviewer of the merge request' do
before do
merge_request.reviewers.push(user)
end
it 'raises an error' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'even if author of the merge request' do
before do
merge_request.author = user
end
it 'raises an error' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
end
context 'when the user is not a project member' do
it_behaves_like 'when the user does not have access to the resource', true
end
context 'when the user is a project member' do
context 'with guest role' do
before do
merge_request.project.add_guest(user)
end
it_behaves_like 'when the user does not have access to the resource', true
end
context 'with reporter role' do
before do
merge_request.project.add_reporter(user)
end
it_behaves_like 'when the user does not have access to the resource', false
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment