Avoid listing snippets in GraphQL when user profile is private

parent a8a3056b
...@@ -5,6 +5,7 @@ module Resolvers ...@@ -5,6 +5,7 @@ module Resolvers
module Users module Users
class SnippetsResolver < BaseResolver class SnippetsResolver < BaseResolver
include ResolvesSnippets include ResolvesSnippets
include Gitlab::Allowable
alias_method :user, :object alias_method :user, :object
...@@ -14,6 +15,12 @@ module Resolvers ...@@ -14,6 +15,12 @@ module Resolvers
private private
def resolve_snippets(_args)
return Snippet.none unless Ability.allowed?(current_user, :read_user_profile, user)
super
end
def snippet_finder_params(args) def snippet_finder_params(args)
super.merge(author: user) super.merge(author: user)
end end
......
---
title: Avoid listing snippets through GraphQL when user profile is private
merge_request: 58739
author:
type: fixed
...@@ -75,9 +75,19 @@ RSpec.describe Resolvers::Users::SnippetsResolver do ...@@ -75,9 +75,19 @@ RSpec.describe Resolvers::Users::SnippetsResolver do
end.to raise_error(GraphQL::CoercionError) end.to raise_error(GraphQL::CoercionError)
end end
end end
context 'when user profile is private' do
it 'does not return snippets for that user' do
expect(resolve_snippets(obj: other_user)).to contain_exactly(other_personal_snippet, other_project_snippet)
other_user.update!(private_profile: true)
expect(resolve_snippets(obj: other_user)).to be_empty
end
end
end end
def resolve_snippets(args: {}) def resolve_snippets(args: {}, context_user: current_user, obj: current_user)
resolve(described_class, args: args, ctx: { current_user: current_user }, obj: current_user) resolve(described_class, args: args, ctx: { current_user: context_user }, obj: obj)
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment