Remove authorization from resolver and update spec

Update the spec to ensure a merge request not invisible
to the current user is not counted.

app/graphql/resolvers/merge_requests_count_resolver.rb

@@ -2,13 +2,9 @@
 
 module Resolvers
   class MergeRequestsCountResolver < BaseResolver
-    include Gitlab::Graphql::Authorize::AuthorizeResource
-
     type GraphQL::Types::Int, null: true
 
     def resolve
-      authorize!(object)
-
       BatchLoader::GraphQL.for(object.id).batch do |ids, loader, args|
         counts = MergeRequestsClosingIssues.count_for_collection(ids, context[:current_user]).to_h
 
@@ -17,10 +13,5 @@ module Resolvers
         end
       end
     end
-
-    def authorized_resource?(object)
-      ability = "read_#{object.class.name.underscore}".to_sym
-      context[:current_user].present? && Ability.allowed?(context[:current_user], ability, object)
-    end
   end
 end

spec/graphql/resolvers/merge_requests_count_resolver_spec.rb

@@ -7,50 +7,34 @@ RSpec.describe Resolvers::MergeRequestsCountResolver do
 
   describe '#resolve' do
     let_it_be(:user) { create(:user) }
+    let_it_be(:project1) { create(:project, :repository, :public) }
+    let_it_be(:project2) { create(:project, :repository, repository_access_level: ProjectFeature::PRIVATE) }
+    let_it_be(:issue) { create(:issue, project: project1) }
+    let_it_be(:merge_request_closing_issue1) { create(:merge_requests_closing_issues, issue: issue) }
+    let_it_be(:merge_request_closing_issue2) do
+      merge_request = create(:merge_request, source_project: project2)
+      create(:merge_requests_closing_issues, issue: issue, merge_request: merge_request)
+    end
 
     specify do
       expect(described_class).to have_nullable_graphql_type(GraphQL::Types::Int)
     end
 
-    context 'when counting closing merge requests from a public issue' do
-      let_it_be(:project) { create(:project, :repository, :public) }
-      let_it_be(:issue) { create(:issue, project: project) }
-      let_it_be(:merge_request) { create(:merge_requests_closing_issues, issue: issue) }
-
-      subject { batch_sync { resolve_merge_requests_count(issue) } }
+    subject { batch_sync { resolve_merge_requests_count(issue) } }
 
+    context "when user can only view an issue's closing merge requests that are public" do
       it 'returns the count of the merge requests closing the issue' do
         expect(subject).to eq(1)
       end
     end
 
-    context 'when attempting to view a private issue' do
-      let_it_be(:private_project) { create(:project, :repository, :private) }
-      let_it_be(:issue) { create(:issue, project: private_project) }
-
-      before_all do
-        create(:merge_requests_closing_issues, issue: issue)
-        create(:merge_requests_closing_issues, issue: issue)
+    context "when user can view an issue's closing merge requests that are both public and private" do
+      before do
+        project2.add_reporter(user)
       end
 
-      context 'when a user has permission to view the issue' do
-        before do
-          private_project.add_developer(user)
-        end
-
-        subject { batch_sync { resolve_merge_requests_count(issue) } }
-
-        it 'returns the count of the merge requests closing the issue' do
-          expect(subject).to eq(2)
-        end
-      end
-
-      context 'when a user does not have permission to view the issue' do
-        subject { batch_sync { resolve_merge_requests_count(issue) } }
-
-        it 'raises an error' do
-          expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-        end
+      it 'returns the count of the merge requests closing the issue' do
+        expect(subject).to eq(2)
       end
     end
   end