Merge branch 'fix-authorization-training-resolver' into 'master'

Add missing authorization for `SecurityTrainingUrls` See merge request gitlab-org/gitlab!84425

Merge branch 'fix-authorization-training-resolver' into 'master'
Add missing authorization for `SecurityTrainingUrls` See merge request gitlab-org/gitlab!84425
901508a9 · Mayra Cabrera · 94027a97 · b0adb655 · 901508a9 · 901508a9
Commit 901508a9 authored Apr 07, 2022 by Mayra Cabrera
3 changed files
--- a/ee/app/graphql/resolvers/security_training_urls_resolver.rb
+++ b/ee/app/graphql/resolvers/security_training_urls_resolver.rb
@@ -2,8 +2,13 @@

 module Resolvers
  class SecurityTrainingUrlsResolver < BaseResolver
+    include Gitlab::Graphql::Authorize::AuthorizeResource
+
    type [::Types::Security::TrainingUrlType], null: true

+    authorize :access_security_and_compliance
+    authorizes_object!
+
    argument :identifier_external_ids,
         [GraphQL::Types::String],
         required: true,

--- a/ee/app/graphql/types/security/training_url_type.rb
+++ b/ee/app/graphql/types/security/training_url_type.rb
@@ -2,7 +2,7 @@

 module Types
  module Security
-    class TrainingUrlType < BaseObject # rubocop:disable Graphql/AuthorizeTypes (This can be only accessed through VulnerabilityType)
+    class TrainingUrlType < BaseObject # rubocop:disable Graphql/AuthorizeTypes (Authorization is done in resolver layer)
      graphql_name 'SecurityTrainingUrl'
      description 'Represents a URL related to a security training'


--- a/ee/spec/graphql/resolvers/security_training_urls_resolver_spec.rb
+++ b/ee/spec/graphql/resolvers/security_training_urls_resolver_spec.rb
@@ -6,16 +6,29 @@ RSpec.describe Resolvers::SecurityTrainingUrlsResolver do
  include GraphqlHelpers

  describe '#resolve' do
-    subject { resolve(described_class, obj: project) }
+    subject { resolve(described_class, obj: project, ctx: { current_user: user }) }

+    let_it_be(:user) { create(:user) }
    let_it_be(:project) { create(:project) }

-    it 'calls TrainingUrlsFinder#execute' do
-      expect_next_instance_of(::Security::TrainingUrlsFinder) do |finder|
-        expect(finder).to receive(:execute)
+    context 'when the user is not authorized' do
+      it 'does not do the resolver action' do
+        expect(subject).to be_nil
+      end
+    end
+
+    context 'when the user is authorized' do
+      before do
+        project.add_developer(user)
      end

-      subject
+      it 'calls TrainingUrlsFinder#execute' do
+        expect_next_instance_of(::Security::TrainingUrlsFinder) do |finder|
+          expect(finder).to receive(:execute)
+        end
+
+        subject
+      end
    end
  end
 end