Commit b7badcf6 authored by Alex Kalderimis's avatar Alex Kalderimis Committed by Alex Kalderimis

Simplify award emoji mutation authorization

Places extra authorization call inside authorized!

This places the extra `emoji_awardable?` check in the
`authorized!` method of the `AuthorizeResource` concern, which
is the method responsible for determining what authorization means for a
particular mutation.

This leads to code simplification and more uniform messages in line with
the rest of the API.
parent e34264af
...@@ -8,8 +8,6 @@ module Mutations ...@@ -8,8 +8,6 @@ module Mutations
def resolve(args) def resolve(args)
awardable = authorized_find!(id: args[:awardable_id]) awardable = authorized_find!(id: args[:awardable_id])
check_object_is_awardable!(awardable)
service = ::AwardEmojis::AddService.new(awardable, args[:name], current_user).execute service = ::AwardEmojis::AddService.new(awardable, args[:name], current_user).execute
{ {
......
...@@ -3,6 +3,10 @@ ...@@ -3,6 +3,10 @@
module Mutations module Mutations
module AwardEmojis module AwardEmojis
class Base < BaseMutation class Base < BaseMutation
include ::Mutations::FindsByGid
NOT_EMOJI_AWARDABLE = 'You cannot award emoji to this resource.'
authorize :award_emoji authorize :award_emoji
argument :awardable_id, argument :awardable_id,
...@@ -22,20 +26,15 @@ module Mutations ...@@ -22,20 +26,15 @@ module Mutations
private private
def find_object(id:) # TODO: remove this method when the compatibility layer is removed
# TODO: remove this line when the compatibility layer is removed
# See: https://gitlab.com/gitlab-org/gitlab/-/issues/257883 # See: https://gitlab.com/gitlab-org/gitlab/-/issues/257883
id = ::Types::GlobalIDType[::Awardable].coerce_isolated_input(id) def find_object(id:)
GitlabSchema.find_by_gid(id) super(id: ::Types::GlobalIDType[::Awardable].coerce_isolated_input(id))
end end
# Called by mutations methods after performing an authorization check def authorize!(object)
# of an awardable object. super
def check_object_is_awardable!(object) raise_resource_not_available_error!(NOT_EMOJI_AWARDABLE) unless object.emoji_awardable?
unless object.is_a?(Awardable) && object.emoji_awardable?
raise Gitlab::Graphql::Errors::ResourceNotAvailable,
'Cannot award emoji to this resource'
end
end end
end end
end end
......
...@@ -8,8 +8,6 @@ module Mutations ...@@ -8,8 +8,6 @@ module Mutations
def resolve(args) def resolve(args)
awardable = authorized_find!(id: args[:awardable_id]) awardable = authorized_find!(id: args[:awardable_id])
check_object_is_awardable!(awardable)
service = ::AwardEmojis::DestroyService.new(awardable, args[:name], current_user).execute service = ::AwardEmojis::DestroyService.new(awardable, args[:name], current_user).execute
{ {
......
...@@ -12,8 +12,6 @@ module Mutations ...@@ -12,8 +12,6 @@ module Mutations
def resolve(args) def resolve(args)
awardable = authorized_find!(id: args[:awardable_id]) awardable = authorized_find!(id: args[:awardable_id])
check_object_is_awardable!(awardable)
service = ::AwardEmojis::ToggleService.new(awardable, args[:name], current_user).execute service = ::AwardEmojis::ToggleService.new(awardable, args[:name], current_user).execute
toggled_on = awardable.awarded_emoji?(args[:name], current_user) toggled_on = awardable.awarded_emoji?(args[:name], current_user)
......
# frozen_string_literal: true
module Mutations
module FindsByGid
def find_object(id:)
GitlabSchema.find_by_gid(id)
end
end
end
...@@ -62,8 +62,8 @@ module Gitlab ...@@ -62,8 +62,8 @@ module Gitlab
end end
end end
def raise_resource_not_available_error! def raise_resource_not_available_error!(msg = RESOURCE_ACCESS_ERROR)
raise Gitlab::Graphql::Errors::ResourceNotAvailable, RESOURCE_ACCESS_ERROR raise Gitlab::Graphql::Errors::ResourceNotAvailable, msg
end end
end end
end end
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Mutations::FindsByGid do
include GraphqlHelpers
let(:mutation_class) do
Class.new(Mutations::BaseMutation) do
authorize :read_user
include Mutations::FindsByGid
end
end
let(:query) { double('Query', schema: GitlabSchema) }
let(:context) { GraphQL::Query::Context.new(query: query, object: nil, values: { current_user: user }) }
let(:user) { create(:user) }
let(:gid) { user.to_global_id }
subject(:mutation) { mutation_class.new(object: nil, context: context, field: nil) }
it 'calls GitlabSchema.find_by_gid to find objects during authorized_find!' do
expect(mutation.authorized_find!(id: gid)).to eq(user)
end
end
...@@ -56,10 +56,10 @@ RSpec.describe 'Adding an AwardEmoji' do ...@@ -56,10 +56,10 @@ RSpec.describe 'Adding an AwardEmoji' do
it_behaves_like 'a mutation that does not create an AwardEmoji' it_behaves_like 'a mutation that does not create an AwardEmoji'
it_behaves_like 'a mutation that returns top-level errors', it_behaves_like 'a mutation that returns top-level errors',
errors: ['Cannot award emoji to this resource'] errors: ['You cannot award emoji to this resource.']
end end
context 'when the given awardable an Awardable' do context 'when the given awardable is an Awardable' do
it 'creates an emoji' do it 'creates an emoji' do
expect do expect do
post_graphql_mutation(mutation, current_user: current_user) post_graphql_mutation(mutation, current_user: current_user)
......
...@@ -55,7 +55,7 @@ RSpec.describe 'Toggling an AwardEmoji' do ...@@ -55,7 +55,7 @@ RSpec.describe 'Toggling an AwardEmoji' do
it_behaves_like 'a mutation that does not create or destroy an AwardEmoji' it_behaves_like 'a mutation that does not create or destroy an AwardEmoji'
it_behaves_like 'a mutation that returns top-level errors', it_behaves_like 'a mutation that returns top-level errors',
errors: ['Cannot award emoji to this resource'] errors: ['You cannot award emoji to this resource.']
end end
context 'when the given awardable is an Awardable' do context 'when the given awardable is an Awardable' do
......
...@@ -9,3 +9,8 @@ RSpec.shared_examples 'a working graphql query' do ...@@ -9,3 +9,8 @@ RSpec.shared_examples 'a working graphql query' do
expect(json_response.keys).to include('data') expect(json_response.keys).to include('data')
end end
end end
RSpec.shared_examples 'a mutation on an unauthorized resource' do
it_behaves_like 'a mutation that returns top-level errors',
errors: [::Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR]
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment