Commit b0adb655 authored by Subashis's avatar Subashis

Add missing authorization

Changelog: added
MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84425
EE: true
parent 33b71d04
...@@ -2,8 +2,13 @@ ...@@ -2,8 +2,13 @@
module Resolvers module Resolvers
class SecurityTrainingUrlsResolver < BaseResolver class SecurityTrainingUrlsResolver < BaseResolver
include Gitlab::Graphql::Authorize::AuthorizeResource
type [::Types::Security::TrainingUrlType], null: true type [::Types::Security::TrainingUrlType], null: true
authorize :access_security_and_compliance
authorizes_object!
argument :identifier_external_ids, argument :identifier_external_ids,
[GraphQL::Types::String], [GraphQL::Types::String],
required: true, required: true,
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
module Types module Types
module Security module Security
class TrainingUrlType < BaseObject # rubocop:disable Graphql/AuthorizeTypes (This can be only accessed through VulnerabilityType) class TrainingUrlType < BaseObject # rubocop:disable Graphql/AuthorizeTypes (Authorization is done in resolver layer)
graphql_name 'SecurityTrainingUrl' graphql_name 'SecurityTrainingUrl'
description 'Represents a URL related to a security training' description 'Represents a URL related to a security training'
......
...@@ -6,16 +6,29 @@ RSpec.describe Resolvers::SecurityTrainingUrlsResolver do ...@@ -6,16 +6,29 @@ RSpec.describe Resolvers::SecurityTrainingUrlsResolver do
include GraphqlHelpers include GraphqlHelpers
describe '#resolve' do describe '#resolve' do
subject { resolve(described_class, obj: project) } subject { resolve(described_class, obj: project, ctx: { current_user: user }) }
let_it_be(:user) { create(:user) }
let_it_be(:project) { create(:project) } let_it_be(:project) { create(:project) }
it 'calls TrainingUrlsFinder#execute' do context 'when the user is not authorized' do
expect_next_instance_of(::Security::TrainingUrlsFinder) do |finder| it 'does not do the resolver action' do
expect(finder).to receive(:execute) expect(subject).to be_nil
end
end
context 'when the user is authorized' do
before do
project.add_developer(user)
end end
subject it 'calls TrainingUrlsFinder#execute' do
expect_next_instance_of(::Security::TrainingUrlsFinder) do |finder|
expect(finder).to receive(:execute)
end
subject
end
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment