Add missing authorization

Changelog: added
MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84425
EE: true

ee/app/graphql/resolvers/security_training_urls_resolver.rb

@@ -2,8 +2,13 @@
 
 module Resolvers
   class SecurityTrainingUrlsResolver < BaseResolver
+    include Gitlab::Graphql::Authorize::AuthorizeResource
+
     type [::Types::Security::TrainingUrlType], null: true
 
+    authorize :access_security_and_compliance
+    authorizes_object!
+
     argument :identifier_external_ids,
          [GraphQL::Types::String],
          required: true,

ee/app/graphql/types/security/training_url_type.rb

@@ -2,7 +2,7 @@
 
 module Types
   module Security
-    class TrainingUrlType < BaseObject # rubocop:disable Graphql/AuthorizeTypes (This can be only accessed through VulnerabilityType)
+    class TrainingUrlType < BaseObject # rubocop:disable Graphql/AuthorizeTypes (Authorization is done in resolver layer)
       graphql_name 'SecurityTrainingUrl'
       description 'Represents a URL related to a security training'
 

ee/spec/graphql/resolvers/security_training_urls_resolver_spec.rb

@@ -6,10 +6,22 @@ RSpec.describe Resolvers::SecurityTrainingUrlsResolver do
   include GraphqlHelpers
 
   describe '#resolve' do
-    subject { resolve(described_class, obj: project) }
+    subject { resolve(described_class, obj: project, ctx: { current_user: user }) }
 
+    let_it_be(:user) { create(:user) }
     let_it_be(:project) { create(:project) }
 
+    context 'when the user is not authorized' do
+      it 'does not do the resolver action' do
+        expect(subject).to be_nil
+      end
+    end
+
+    context 'when the user is authorized' do
+      before do
+        project.add_developer(user)
+      end
+
       it 'calls TrainingUrlsFinder#execute' do
         expect_next_instance_of(::Security::TrainingUrlsFinder) do |finder|
           expect(finder).to receive(:execute)
@@ -18,4 +30,5 @@ RSpec.describe Resolvers::SecurityTrainingUrlsResolver do
         subject
       end
     end
+  end
 end