Merge branch 'fix/admin-mode-graphiql-explorer' into 'master'

Fix admin mode access on GraphiQL controller See merge request gitlab-org/gitlab!29845

Merge branch 'fix/admin-mode-graphiql-explorer' into 'master'
Fix admin mode access on GraphiQL controller See merge request gitlab-org/gitlab!29845
6e5ddb07 · Imre Farkas · 2b0812b2 · e5fa9e4c · 6e5ddb07 · 6e5ddb07
Commit 6e5ddb07 authored May 12, 2020 by Imre Farkas
3 changed files
--- a/app/controllers/graphql_controller.rb
+++ b/app/controllers/graphql_controller.rb
@@ -3,7 +3,12 @@
 class GraphqlController < ApplicationController
  # Unauthenticated users have access to the API for public data
  skip_before_action :authenticate_user!
-  skip_around_action :set_session_storage
+
+  # If a user is using their session to access GraphQL, we need to have session
+  # storage, since the admin-mode check is session wide.
+  # We can't enable this for anonymous users because that would cause users using
+  # enforced SSO from using an auth token to access the API.
+  skip_around_action :set_session_storage, unless: :current_user

  # Allow missing CSRF tokens, this would mean that if a CSRF is invalid or missing,
  # the user won't be authenticated but can proceed as an anonymous user.

--- a/changelogs/unreleased/fix-admin-mode-graphiql-explorer.yml
+++ b/changelogs/unreleased/fix-admin-mode-graphiql-explorer.yml
+---
+title: Fix admin mode access on GraphiQL controller
+merge_request: 29845
+author: Diego Louzán
+type: fixed
--- a/spec/controllers/graphql_controller_spec.rb
+++ b/spec/controllers/graphql_controller_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'

 describe GraphqlController do
+  include GraphqlHelpers
+
  before do
    stub_feature_flags(graphql: true)
  end
@@ -64,4 +66,52 @@ describe GraphqlController do
      end
    end
  end
+
+  describe 'Admin Mode' do
+    let(:admin) { create(:admin) }
+    let(:project) { create(:project) }
+    let(:graphql_query) { graphql_query_for('project', { 'fullPath' => project.full_path }, %w(id name)) }
+
+    before do
+      sign_in(admin)
+    end
+
+    context 'when admin mode enabled' do
+      before do
+        Gitlab::Session.with_session(controller.session) do
+          controller.current_user_mode.request_admin_mode!
+          controller.current_user_mode.enable_admin_mode!(password: admin.password)
+        end
+      end
+
+      it 'can query project data' do
+        post :execute, params: { query: graphql_query }
+
+        expect(controller.current_user_mode.admin_mode?).to be(true)
+        expect(json_response['data']['project']['name']).to eq(project.name)
+      end
+    end
+
+    context 'when admin mode disabled' do
+      it 'cannot query project data' do
+        post :execute, params: { query: graphql_query }
+
+        expect(controller.current_user_mode.admin_mode?).to be(false)
+        expect(json_response['data']['project']).to be_nil
+      end
+
+      context 'when admin is member of the project' do
+        before do
+          project.add_developer(admin)
+        end
+
+        it 'can query project data' do
+          post :execute, params: { query: graphql_query }
+
+          expect(controller.current_user_mode.admin_mode?).to be(false)
+          expect(json_response['data']['project']['name']).to eq(project.name)
+        end
+      end
+    end
+  end
 end