Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
6643b92b
Commit
6643b92b
authored
Mar 20, 2019
by
Brett Walker
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Use parent object when authorizing scalar types
parent
702f1826
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
138 additions
and
41 deletions
+138
-41
lib/gitlab/graphql/authorize/authorize_field_service.rb
lib/gitlab/graphql/authorize/authorize_field_service.rb
+21
-10
spec/graphql/features/authorization_spec.rb
spec/graphql/features/authorization_spec.rb
+53
-0
spec/lib/gitlab/graphql/authorize/authorize_field_service_spec.rb
.../gitlab/graphql/authorize/authorize_field_service_spec.rb
+64
-31
No files found.
lib/gitlab/graphql/authorize/authorize_field_service.rb
View file @
6643b92b
...
...
@@ -14,9 +14,10 @@ module Gitlab
end
def
authorized_resolve
proc
do
|
obj
,
args
,
ctx
|
resolved_obj
=
@old_resolve_proc
.
call
(
obj
,
args
,
ctx
)
checker
=
build_checker
(
ctx
[
:current_user
])
proc
do
|
parent_typed_object
,
args
,
ctx
|
resolved_obj
=
@old_resolve_proc
.
call
(
parent_typed_object
,
args
,
ctx
)
authorizing_obj
=
authorize_against
(
parent_typed_object
)
checker
=
build_checker
(
ctx
[
:current_user
],
authorizing_obj
)
if
resolved_obj
.
respond_to?
(
:then
)
resolved_obj
.
then
(
&
checker
)
...
...
@@ -51,22 +52,28 @@ module Gitlab
Array
.
wrap
(
@field
.
metadata
[
:authorize
])
end
def
build_checker
(
current_user
)
lambda
do
|
value
|
# If it's a built-in/scalar type, authorize using its parent object.
# nil means authorize using the resolved object
def
authorize_against
(
parent_typed_object
)
parent_typed_object
.
object
if
built_in_type?
&&
parent_typed_object
.
respond_to?
(
:object
)
end
def
build_checker
(
current_user
,
authorizing_obj
)
lambda
do
|
resolved_obj
|
# Load the elements if they were not loaded by BatchLoader yet
value
=
value
.
sync
if
value
.
respond_to?
(
:sync
)
resolved_obj
=
resolved_obj
.
sync
if
resolved_obj
.
respond_to?
(
:sync
)
check
=
lambda
do
|
object
|
authorizations
.
all?
do
|
ability
|
Ability
.
allowed?
(
current_user
,
ability
,
object
)
Ability
.
allowed?
(
current_user
,
ability
,
authorizing_obj
||
object
)
end
end
case
value
case
resolved_obj
when
Array
,
ActiveRecord
::
Relation
value
.
select
(
&
check
)
resolved_obj
.
select
(
&
check
)
else
value
if
check
.
call
(
value
)
resolved_obj
if
check
.
call
(
resolved_obj
)
end
end
end
...
...
@@ -88,6 +95,10 @@ module Gitlab
def
node_type_for_basic_connection
(
type
)
type
.
unwrap
end
def
built_in_type?
GraphQL
::
Schema
::
BUILT_IN_TYPES
.
has_value?
(
node_type_for_basic_connection
(
@field
.
type
))
end
end
end
end
...
...
spec/graphql/features/authorization_spec.rb
View file @
6643b92b
...
...
@@ -75,6 +75,59 @@ describe 'Gitlab::Graphql::Authorization' do
end
end
describe
'Field authorizations when field is a built in type'
do
let
(
:query_type
)
do
query_factory
do
|
query
|
query
.
field
:object
,
type
,
null:
true
,
resolve:
->
(
obj
,
args
,
ctx
)
{
test_object
}
end
end
describe
'with a single permission'
do
let
(
:type
)
do
type_factory
do
|
type
|
type
.
field
:name
,
GraphQL
::
STRING_TYPE
,
null:
true
,
authorize:
permission_single
end
end
it
'returns the protected field when user has permission'
do
permit
(
permission_single
)
expect
(
subject
).
to
eq
(
'name'
=>
test_object
.
name
)
end
it
'returns nil when user is not authorized'
do
expect
(
subject
).
to
eq
(
'name'
=>
nil
)
end
end
describe
'with a collection of permissions'
do
let
(
:type
)
do
permissions
=
permission_collection
type_factory
do
|
type
|
type
.
field
:name
,
GraphQL
::
STRING_TYPE
,
null:
true
do
authorize
permissions
end
end
end
it
'returns the protected field when user has all permissions'
do
permit
(
*
permission_collection
)
expect
(
subject
).
to
eq
(
'name'
=>
test_object
.
name
)
end
it
'returns nil when user only has one of the permissions'
do
permit
(
permission_collection
.
first
)
expect
(
subject
).
to
eq
(
'name'
=>
nil
)
end
it
'returns nil when user only has none of the permissions'
do
expect
(
subject
).
to
eq
(
'name'
=>
nil
)
end
end
end
describe
'Type authorizations'
do
let
(
:query_type
)
do
query_factory
do
|
query
|
...
...
spec/lib/gitlab/graphql/authorize/authorize_field_service_spec.rb
View file @
6643b92b
...
...
@@ -9,10 +9,11 @@ describe Gitlab::Graphql::Authorize::AuthorizeFieldService do
let
(
:current_user
)
{
double
(
:current_user
)
}
let
(
:abilities
)
{
[
double
(
:first_ability
),
double
(
:last_ability
)]
}
context
'when authorizing against the object'
do
let
(
:checker
)
do
service
=
described_class
.
new
(
double
(
resolve_proc:
proc
{}))
allow
(
service
).
to
receive
(
:authorizations
).
and_return
(
abilities
)
service
.
__send__
(
:build_checker
,
current_user
)
service
.
__send__
(
:build_checker
,
current_user
,
nil
)
end
it
'returns a checker which checks for a single object'
do
...
...
@@ -56,8 +57,40 @@ describe Gitlab::Graphql::Authorize::AuthorizeFieldService do
spy_ability_check_for
(
ability
,
allowed
,
passed:
true
)
end
expect
(
checker
.
call
([
disallowed
,
allowed
]))
.
to
contain_exactly
(
allowed
)
expect
(
checker
.
call
([
disallowed
,
allowed
])).
to
contain_exactly
(
allowed
)
end
end
end
context
'when authorizing against another object'
do
let
(
:authorizing_obj
)
{
double
(
:object
)
}
let
(
:checker
)
do
service
=
described_class
.
new
(
double
(
resolve_proc:
proc
{}))
allow
(
service
).
to
receive
(
:authorizations
).
and_return
(
abilities
)
service
.
__send__
(
:build_checker
,
current_user
,
authorizing_obj
)
end
it
'returns a checker which checks for a single object'
do
object
=
double
(
:object
)
abilities
.
each
do
|
ability
|
spy_ability_check_for
(
ability
,
authorizing_obj
,
passed:
true
)
end
expect
(
checker
.
call
(
object
)).
to
eq
(
object
)
end
it
'returns a checker which checks for all objects'
do
objects
=
[
double
(
:first
),
double
(
:last
)]
abilities
.
each
do
|
ability
|
objects
.
each
do
|
object
|
spy_ability_check_for
(
ability
,
authorizing_obj
,
passed:
true
)
end
end
expect
(
checker
.
call
(
objects
)).
to
eq
(
objects
)
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment