Commit c101a53e authored by Furkan Ayhan's avatar Furkan Ayhan Committed by Alex Kalderimis

Remove redundant permission checks for GraphQL job type

Reading a build requires a project-level permission, so we don't need
to check read permissions for each build.

In this commit we remove the read_commit_status authorization from
Ci::JobType because its callers already do the check.

Changelog: performance
parent 36157228
......@@ -2,9 +2,10 @@
module Types
module Ci
# rubocop: disable Graphql/AuthorizeTypes
# The permission is presented through `StageType` that has its own authorization
class JobType < BaseObject
graphql_name 'CiJob'
authorize :read_commit_status
connection_type_class(Types::CountableConnectionType)
......
......@@ -23,7 +23,8 @@ module Types
field :job, Types::Ci::JobType,
null: true,
description: 'Job that created this version.'
description: 'Job that created this version.',
authorize: :read_commit_status
field :serial, GraphQL::Types::Int,
null: true,
......
......@@ -4,7 +4,6 @@ require 'spec_helper'
RSpec.describe Types::Ci::JobType do
specify { expect(described_class.graphql_name).to eq('CiJob') }
specify { expect(described_class).to require_graphql_authorizations(:read_commit_status) }
specify { expect(described_class).to expose_permissions_using(Types::PermissionTypes::Ci::Job) }
it 'exposes the expected fields' do
......
......@@ -3,6 +3,8 @@
require 'spec_helper'
RSpec.describe GitlabSchema.types['TerraformStateVersion'] do
include GraphqlHelpers
it { expect(described_class.graphql_name).to eq('TerraformStateVersion') }
it { expect(described_class).to require_graphql_authorizations(:read_terraform_state) }
......@@ -19,4 +21,60 @@ RSpec.describe GitlabSchema.types['TerraformStateVersion'] do
it { expect(described_class.fields['createdAt'].type).to be_non_null }
it { expect(described_class.fields['updatedAt'].type).to be_non_null }
end
describe 'query' do
let_it_be(:project) { create(:project) }
let_it_be(:user) { create(:user) }
let_it_be(:terraform_state) { create(:terraform_state, :with_version, :locked, project: project) }
before do
project.add_developer(user)
end
let(:query) do
<<~GRAPHQL
query {
project(fullPath: "#{project.full_path}") {
terraformState(name: "#{terraform_state.name}") {
latestVersion {
id
job {
name
}
}
}
}
}
GRAPHQL
end
subject(:execute) { GitlabSchema.execute(query, context: { current_user: user }).as_json }
shared_examples 'returning latest version' do
it 'returns latest version of terraform state' do
expect(execute.dig('data', 'project', 'terraformState', 'latestVersion', 'id')).to eq(
global_id_of(terraform_state.latest_version)
)
end
end
it_behaves_like 'returning latest version'
it 'returns job of the latest version' do
expect(execute.dig('data', 'project', 'terraformState', 'latestVersion', 'job')).to be_present
end
context 'when user cannot read jobs' do
before do
allow(Ability).to receive(:allowed?).and_call_original
allow(Ability).to receive(:allowed?).with(user, :read_commit_status, terraform_state.latest_version).and_return(false)
end
it_behaves_like 'returning latest version'
it 'does not return job of the latest version' do
expect(execute.dig('data', 'project', 'terraformState', 'latestVersion', 'job')).not_to be_present
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment