Add specific package policy

The policy delegates the access to package to the project - New policy - Use policy in PackageType - Remove custom check from resolver - Tests

Add specific package policy
The policy delegates the access to package to the project - New policy - Use policy in PackageType - Remove custom check from resolver - Tests
a32da82f · Nicolò Maria Mezzopera · b2869bcc · a32da82f · a32da82f · a32da82f
Commit a32da82f authored May 12, 2020 by Nicolò Maria Mezzopera
6 changed files
--- a/ee/app/graphql/resolvers/packages_resolver.rb
+++ b/ee/app/graphql/resolvers/packages_resolver.rb
@@ -13,7 +13,7 @@ module Resolvers
    private
    def packages_available?(object, user)
-      ::Gitlab.config.packages.enabled && object.feature_available?(:packages) && Ability.allowed?(user, :read_package, object)
+      ::Gitlab.config.packages.enabled && object.feature_available?(:packages)
    end
  end
 end
--- a/ee/app/graphql/types/package_type.rb
+++ b/ee/app/graphql/types/package_type.rb
 # frozen_string_literal: true
 module Types
-  # rubocop: disable Graphql/AuthorizeTypes
  class PackageType < BaseObject
    graphql_name 'Package'
    description 'Represents a package'
+    authorize :read_package
    field :id, GraphQL::ID_TYPE, null: false, description: 'The ID of the package'
    field :name, GraphQL::STRING_TYPE, null: false, description: 'The name of the package'
@@ -13,5 +13,4 @@ module Types
    field :version, GraphQL::STRING_TYPE, null: true, description: 'The version of the package'
    field :package_type, Types::PackageTypeEnum, null: false, description: 'The type of the package'
  end
-  # rubocop: enable Graphql/AuthorizeTypes
 end
--- a/ee/app/policies/packages/package_policy.rb
+++ b/ee/app/policies/packages/package_policy.rb
+# frozen_string_literal: true
+module Packages
+  class PackagePolicy < BasePolicy
+    delegate { @subject.project }
+  end
+end
--- a/ee/spec/graphql/resolvers/packages_resolver_spec.rb
+++ b/ee/spec/graphql/resolvers/packages_resolver_spec.rb
@@ -22,17 +22,7 @@ describe Resolvers::PackagesResolver do
          allow(project).to receive(:feature_available?).with(:packages).and_return(true)
        end
-        context 'when the user is authorized to read the packages' do
+        it { is_expected.to contain_exactly(package) }
-          before do
-            project.add_reporter(user)
-          end
-          it { is_expected.to contain_exactly(package) }
-        end
-        context 'when the user is not authorized to read the package' do
-          it { is_expected.to be_nil }
-        end
      end
      context 'when the project has the package feature disabled' do

--- a/ee/spec/policies/packages/package_policy_spec.rb
+++ b/ee/spec/policies/packages/package_policy_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+describe Packages::PackagePolicy do
+  let_it_be(:user) { create(:user) }
+  let_it_be(:project) { create(:project) }
+  let_it_be(:package) { create(:package, project: project) }
+  subject(:policy) { described_class.new(user, package) }
+  context 'when the user is part of the project' do
+    before do
+      project.add_reporter(user)
+    end
+    it 'allows read_package' do
+      expect(policy).to be_allowed(:read_package)
+    end
+  end
+  context 'when the user is not part of the project' do
+    it 'disallows read_package for any Package' do
+      expect(policy).to be_disallowed(:read_package)
+    end
+  end
+end
--- a/ee/spec/requests/api/graphql/project/packages_spec.rb
+++ b/ee/spec/requests/api/graphql/project/packages_spec.rb
@@ -36,26 +36,36 @@ describe 'getting a package list for a project' do
    context 'when user has access to the project' do
      before do
        project.add_reporter(current_user)
+        post_graphql(query, current_user: current_user)
      end
-      it_behaves_like 'a working graphql query' do
+      it_behaves_like 'a working graphql query'
-        before do
-          post_graphql(query, current_user: current_user)
-        end
-      end
      it 'returns packages successfully' do
-        post_graphql(query, current_user: current_user)
-        expect(graphql_errors).to be_nil
        expect(packages_data[0]['node']['name']).to eq package.name
      end
    end
-    context 'when the user does not have access to the packages' do
+    context 'when the user does not have access to the project/packages' do
+      before do
+        post_graphql(query, current_user: current_user)
+      end
+      it_behaves_like 'a working graphql query'
      it 'returns nil' do
+        expect(graphql_data['project']).to be_nil
+      end
+    end
+    context 'when the user is not autenthicated' do
+      before do
        post_graphql(query)
+      end
+      it_behaves_like 'a working graphql query'
+      it 'returns nil' do
        expect(graphql_data['project']).to be_nil
      end
    end
@@ -65,12 +75,13 @@ describe 'getting a package list for a project' do
    before do
      stub_licensed_features(packages: false)
      project.add_reporter(current_user)
+      post_graphql(query, current_user: current_user)
    end
-    it 'returns nil' do
+    it_behaves_like 'a working graphql query'
-      post_graphql(query)
-      expect(graphql_data['project']).to be_nil
+    it 'returns nil' do
+      expect(graphql_data['project']['packages']).to be_nil
    end
  end
 end