Commit bb4d4701 authored by Bob Van Landuyt's avatar Bob Van Landuyt

Merge branch 'ajk-globalid-award-emojis' into 'master'

[GraphQL] Award Emojis: simplify authorization check

See merge request gitlab-org/gitlab!36109
parents 0b30d88d b7badcf6
...@@ -8,8 +8,6 @@ module Mutations ...@@ -8,8 +8,6 @@ module Mutations
def resolve(args) def resolve(args)
awardable = authorized_find!(id: args[:awardable_id]) awardable = authorized_find!(id: args[:awardable_id])
check_object_is_awardable!(awardable)
service = ::AwardEmojis::AddService.new(awardable, args[:name], current_user).execute service = ::AwardEmojis::AddService.new(awardable, args[:name], current_user).execute
{ {
......
...@@ -3,6 +3,10 @@ ...@@ -3,6 +3,10 @@
module Mutations module Mutations
module AwardEmojis module AwardEmojis
class Base < BaseMutation class Base < BaseMutation
include ::Mutations::FindsByGid
NOT_EMOJI_AWARDABLE = 'You cannot award emoji to this resource.'
authorize :award_emoji authorize :award_emoji
argument :awardable_id, argument :awardable_id,
...@@ -22,20 +26,15 @@ module Mutations ...@@ -22,20 +26,15 @@ module Mutations
private private
# TODO: remove this method when the compatibility layer is removed
# See: https://gitlab.com/gitlab-org/gitlab/-/issues/257883
def find_object(id:) def find_object(id:)
# TODO: remove this line when the compatibility layer is removed super(id: ::Types::GlobalIDType[::Awardable].coerce_isolated_input(id))
# See: https://gitlab.com/gitlab-org/gitlab/-/issues/257883
id = ::Types::GlobalIDType[::Awardable].coerce_isolated_input(id)
GitlabSchema.find_by_gid(id)
end end
# Called by mutations methods after performing an authorization check def authorize!(object)
# of an awardable object. super
def check_object_is_awardable!(object) raise_resource_not_available_error!(NOT_EMOJI_AWARDABLE) unless object.emoji_awardable?
unless object.is_a?(Awardable) && object.emoji_awardable?
raise Gitlab::Graphql::Errors::ResourceNotAvailable,
'Cannot award emoji to this resource'
end
end end
end end
end end
......
...@@ -8,8 +8,6 @@ module Mutations ...@@ -8,8 +8,6 @@ module Mutations
def resolve(args) def resolve(args)
awardable = authorized_find!(id: args[:awardable_id]) awardable = authorized_find!(id: args[:awardable_id])
check_object_is_awardable!(awardable)
service = ::AwardEmojis::DestroyService.new(awardable, args[:name], current_user).execute service = ::AwardEmojis::DestroyService.new(awardable, args[:name], current_user).execute
{ {
......
...@@ -12,8 +12,6 @@ module Mutations ...@@ -12,8 +12,6 @@ module Mutations
def resolve(args) def resolve(args)
awardable = authorized_find!(id: args[:awardable_id]) awardable = authorized_find!(id: args[:awardable_id])
check_object_is_awardable!(awardable)
service = ::AwardEmojis::ToggleService.new(awardable, args[:name], current_user).execute service = ::AwardEmojis::ToggleService.new(awardable, args[:name], current_user).execute
toggled_on = awardable.awarded_emoji?(args[:name], current_user) toggled_on = awardable.awarded_emoji?(args[:name], current_user)
......
# frozen_string_literal: true
module Mutations
module FindsByGid
def find_object(id:)
GitlabSchema.find_by_gid(id)
end
end
end
...@@ -62,8 +62,8 @@ module Gitlab ...@@ -62,8 +62,8 @@ module Gitlab
end end
end end
def raise_resource_not_available_error! def raise_resource_not_available_error!(msg = RESOURCE_ACCESS_ERROR)
raise Gitlab::Graphql::Errors::ResourceNotAvailable, RESOURCE_ACCESS_ERROR raise Gitlab::Graphql::Errors::ResourceNotAvailable, msg
end end
end end
end end
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Mutations::FindsByGid do
include GraphqlHelpers
let(:mutation_class) do
Class.new(Mutations::BaseMutation) do
authorize :read_user
include Mutations::FindsByGid
end
end
let(:query) { double('Query', schema: GitlabSchema) }
let(:context) { GraphQL::Query::Context.new(query: query, object: nil, values: { current_user: user }) }
let(:user) { create(:user) }
let(:gid) { user.to_global_id }
subject(:mutation) { mutation_class.new(object: nil, context: context, field: nil) }
it 'calls GitlabSchema.find_by_gid to find objects during authorized_find!' do
expect(mutation.authorized_find!(id: gid)).to eq(user)
end
end
...@@ -56,10 +56,10 @@ RSpec.describe 'Adding an AwardEmoji' do ...@@ -56,10 +56,10 @@ RSpec.describe 'Adding an AwardEmoji' do
it_behaves_like 'a mutation that does not create an AwardEmoji' it_behaves_like 'a mutation that does not create an AwardEmoji'
it_behaves_like 'a mutation that returns top-level errors', it_behaves_like 'a mutation that returns top-level errors',
errors: ['Cannot award emoji to this resource'] errors: ['You cannot award emoji to this resource.']
end end
context 'when the given awardable an Awardable' do context 'when the given awardable is an Awardable' do
it 'creates an emoji' do it 'creates an emoji' do
expect do expect do
post_graphql_mutation(mutation, current_user: current_user) post_graphql_mutation(mutation, current_user: current_user)
......
...@@ -55,7 +55,7 @@ RSpec.describe 'Toggling an AwardEmoji' do ...@@ -55,7 +55,7 @@ RSpec.describe 'Toggling an AwardEmoji' do
it_behaves_like 'a mutation that does not create or destroy an AwardEmoji' it_behaves_like 'a mutation that does not create or destroy an AwardEmoji'
it_behaves_like 'a mutation that returns top-level errors', it_behaves_like 'a mutation that returns top-level errors',
errors: ['Cannot award emoji to this resource'] errors: ['You cannot award emoji to this resource.']
end end
context 'when the given awardable is an Awardable' do context 'when the given awardable is an Awardable' do
......
...@@ -9,3 +9,8 @@ RSpec.shared_examples 'a working graphql query' do ...@@ -9,3 +9,8 @@ RSpec.shared_examples 'a working graphql query' do
expect(json_response.keys).to include('data') expect(json_response.keys).to include('data')
end end
end end
RSpec.shared_examples 'a mutation on an unauthorized resource' do
it_behaves_like 'a mutation that returns top-level errors',
errors: [::Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR]
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment