Enforce :read_commit_status on CiJob

This applies the :read_commit_status policy to the `CiJob` GraphQL entities, which are `CommitStatus` objects. This policy guards against information exposure, and we can apply this now that `CiJob.needs` has the correct type. A test is added to ensure we read all fields of `CiBuildNeed` during tests, to prevent regressions.

Enforce :read_commit_status on CiJob
This applies the :read_commit_status policy to the `CiJob` GraphQL entities, which are `CommitStatus` objects. This policy guards against information exposure, and we can apply this now that `CiJob.needs` has the correct type. A test is added to ensure we read all fields of `CiBuildNeed` during tests, to prevent regressions.
d9cd4d65 · Alex Kalderimis · 173bc9f9 · d9cd4d65 · d9cd4d65
Commit d9cd4d65 authored Dec 17, 2020 by Alex Kalderimis
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

app/graphql/types/ci/job_type.rb app/graphql/types/ci/job_type.rb +1 -1

spec/graphql/types/ci/job_type_spec.rb spec/graphql/types/ci/job_type_spec.rb +1 -0

No files found.
--- a/app/graphql/types/ci/job_type.rb
+++ b/app/graphql/types/ci/job_type.rb
@@ -2,9 +2,9 @@

 module Types
  module Ci
-    # rubocop: disable Graphql/AuthorizeTypes
    class JobType < BaseObject
      graphql_name 'CiJob'
+      authorize :read_commit_status

      field :pipeline, Types::Ci::PipelineType, null: true,
            description: 'Pipeline the job belongs to'

--- a/spec/graphql/types/ci/job_type_spec.rb
+++ b/spec/graphql/types/ci/job_type_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'

 RSpec.describe Types::Ci::JobType do
  specify { expect(described_class.graphql_name).to eq('CiJob') }
+  specify { expect(described_class).to require_graphql_authorizations(:read_commit_status) }

  it 'exposes the expected fields' do
    expected_fields = %i[