Merge branch '330707-redundant-permission-checks' into 'master'

Remove redundant permission checks for GraphQL job type

See merge request gitlab-org/gitlab!69982

app/graphql/types/ci/job_type.rb

@@ -2,9 +2,10 @@
 
 module Types
   module Ci
+    # rubocop: disable Graphql/AuthorizeTypes
+    # The permission is presented through `StageType` that has its own authorization
     class JobType < BaseObject
       graphql_name 'CiJob'
-      authorize :read_commit_status
 
       connection_type_class(Types::CountableConnectionType)
 

app/graphql/types/terraform/state_version_type.rb

@@ -23,7 +23,8 @@ module Types
 
       field :job, Types::Ci::JobType,
             null: true,
-            description: 'Job that created this version.'
+            description: 'Job that created this version.',
+            authorize: :read_commit_status
 
       field :serial, GraphQL::Types::Int,
             null: true,

spec/graphql/types/ci/job_type_spec.rb

@@ -4,7 +4,6 @@ require 'spec_helper'
 
 RSpec.describe Types::Ci::JobType do
   specify { expect(described_class.graphql_name).to eq('CiJob') }
-  specify { expect(described_class).to require_graphql_authorizations(:read_commit_status) }
   specify { expect(described_class).to expose_permissions_using(Types::PermissionTypes::Ci::Job) }
 
   it 'exposes the expected fields' do

spec/graphql/types/terraform/state_version_type_spec.rb

@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe GitlabSchema.types['TerraformStateVersion'] do
+  include GraphqlHelpers
+
   it { expect(described_class.graphql_name).to eq('TerraformStateVersion') }
   it { expect(described_class).to require_graphql_authorizations(:read_terraform_state) }
 
@@ -19,4 +21,60 @@ RSpec.describe GitlabSchema.types['TerraformStateVersion'] do
     it { expect(described_class.fields['createdAt'].type).to be_non_null }
     it { expect(described_class.fields['updatedAt'].type).to be_non_null }
   end
+
+  describe 'query' do
+    let_it_be(:project) { create(:project) }
+    let_it_be(:user) { create(:user) }
+    let_it_be(:terraform_state) { create(:terraform_state, :with_version, :locked, project: project) }
+
+    before do
+      project.add_developer(user)
+    end
+
+    let(:query) do
+      <<~GRAPHQL
+        query {
+          project(fullPath: "#{project.full_path}") {
+            terraformState(name: "#{terraform_state.name}") {
+              latestVersion {
+                id
+                job {
+                  name
+                }
+              }
+            }
+          }
+        }
+      GRAPHQL
+    end
+
+    subject(:execute) { GitlabSchema.execute(query, context: { current_user: user }).as_json }
+
+    shared_examples 'returning latest version' do
+      it 'returns latest version of terraform state' do
+        expect(execute.dig('data', 'project', 'terraformState', 'latestVersion', 'id')).to eq(
+          global_id_of(terraform_state.latest_version)
+        )
+      end
+    end
+
+    it_behaves_like 'returning latest version'
+
+    it 'returns job of the latest version' do
+      expect(execute.dig('data', 'project', 'terraformState', 'latestVersion', 'job')).to be_present
+    end
+
+    context 'when user cannot read jobs' do
+      before do
+        allow(Ability).to receive(:allowed?).and_call_original
+        allow(Ability).to receive(:allowed?).with(user, :read_commit_status, terraform_state.latest_version).and_return(false)
+      end
+
+      it_behaves_like 'returning latest version'
+
+      it 'does not return job of the latest version' do
+        expect(execute.dig('data', 'project', 'terraformState', 'latestVersion', 'job')).not_to be_present
+      end
+    end
+  end
 end