Commit e5fa9e4c authored by Diego Louzán's avatar Diego Louzán Committed by Imre Farkas

Fix admin mode access on GraphiQL controller

parent f7df08df
...@@ -3,7 +3,12 @@ ...@@ -3,7 +3,12 @@
class GraphqlController < ApplicationController class GraphqlController < ApplicationController
# Unauthenticated users have access to the API for public data # Unauthenticated users have access to the API for public data
skip_before_action :authenticate_user! skip_before_action :authenticate_user!
skip_around_action :set_session_storage
# If a user is using their session to access GraphQL, we need to have session
# storage, since the admin-mode check is session wide.
# We can't enable this for anonymous users because that would cause users using
# enforced SSO from using an auth token to access the API.
skip_around_action :set_session_storage, unless: :current_user
# Allow missing CSRF tokens, this would mean that if a CSRF is invalid or missing, # Allow missing CSRF tokens, this would mean that if a CSRF is invalid or missing,
# the user won't be authenticated but can proceed as an anonymous user. # the user won't be authenticated but can proceed as an anonymous user.
......
---
title: Fix admin mode access on GraphiQL controller
merge_request: 29845
author: Diego Louzán
type: fixed
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
describe GraphqlController do describe GraphqlController do
include GraphqlHelpers
before do before do
stub_feature_flags(graphql: true) stub_feature_flags(graphql: true)
end end
...@@ -64,4 +66,52 @@ describe GraphqlController do ...@@ -64,4 +66,52 @@ describe GraphqlController do
end end
end end
end end
describe 'Admin Mode' do
let(:admin) { create(:admin) }
let(:project) { create(:project) }
let(:graphql_query) { graphql_query_for('project', { 'fullPath' => project.full_path }, %w(id name)) }
before do
sign_in(admin)
end
context 'when admin mode enabled' do
before do
Gitlab::Session.with_session(controller.session) do
controller.current_user_mode.request_admin_mode!
controller.current_user_mode.enable_admin_mode!(password: admin.password)
end
end
it 'can query project data' do
post :execute, params: { query: graphql_query }
expect(controller.current_user_mode.admin_mode?).to be(true)
expect(json_response['data']['project']['name']).to eq(project.name)
end
end
context 'when admin mode disabled' do
it 'cannot query project data' do
post :execute, params: { query: graphql_query }
expect(controller.current_user_mode.admin_mode?).to be(false)
expect(json_response['data']['project']).to be_nil
end
context 'when admin is member of the project' do
before do
project.add_developer(admin)
end
it 'can query project data' do
post :execute, params: { query: graphql_query }
expect(controller.current_user_mode.admin_mode?).to be(false)
expect(json_response['data']['project']['name']).to eq(project.name)
end
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment