Commit f2bb88bb authored by Eulyeon Ko's avatar Eulyeon Ko Committed by Jan Provaznik

Remove authorization from resolver and update spec

Update the spec to ensure a merge request not invisible
to the current user is not counted.
parent 8c185e66
......@@ -2,13 +2,9 @@
module Resolvers
class MergeRequestsCountResolver < BaseResolver
include Gitlab::Graphql::Authorize::AuthorizeResource
type GraphQL::Types::Int, null: true
def resolve
authorize!(object)
BatchLoader::GraphQL.for(object.id).batch do |ids, loader, args|
counts = MergeRequestsClosingIssues.count_for_collection(ids, context[:current_user]).to_h
......@@ -17,10 +13,5 @@ module Resolvers
end
end
end
def authorized_resource?(object)
ability = "read_#{object.class.name.underscore}".to_sym
context[:current_user].present? && Ability.allowed?(context[:current_user], ability, object)
end
end
end
......@@ -7,50 +7,34 @@ RSpec.describe Resolvers::MergeRequestsCountResolver do
describe '#resolve' do
let_it_be(:user) { create(:user) }
let_it_be(:project1) { create(:project, :repository, :public) }
let_it_be(:project2) { create(:project, :repository, repository_access_level: ProjectFeature::PRIVATE) }
let_it_be(:issue) { create(:issue, project: project1) }
let_it_be(:merge_request_closing_issue1) { create(:merge_requests_closing_issues, issue: issue) }
let_it_be(:merge_request_closing_issue2) do
merge_request = create(:merge_request, source_project: project2)
create(:merge_requests_closing_issues, issue: issue, merge_request: merge_request)
end
specify do
expect(described_class).to have_nullable_graphql_type(GraphQL::Types::Int)
end
context 'when counting closing merge requests from a public issue' do
let_it_be(:project) { create(:project, :repository, :public) }
let_it_be(:issue) { create(:issue, project: project) }
let_it_be(:merge_request) { create(:merge_requests_closing_issues, issue: issue) }
subject { batch_sync { resolve_merge_requests_count(issue) } }
subject { batch_sync { resolve_merge_requests_count(issue) } }
context "when user can only view an issue's closing merge requests that are public" do
it 'returns the count of the merge requests closing the issue' do
expect(subject).to eq(1)
end
end
context 'when attempting to view a private issue' do
let_it_be(:private_project) { create(:project, :repository, :private) }
let_it_be(:issue) { create(:issue, project: private_project) }
before_all do
create(:merge_requests_closing_issues, issue: issue)
create(:merge_requests_closing_issues, issue: issue)
context "when user can view an issue's closing merge requests that are both public and private" do
before do
project2.add_reporter(user)
end
context 'when a user has permission to view the issue' do
before do
private_project.add_developer(user)
end
subject { batch_sync { resolve_merge_requests_count(issue) } }
it 'returns the count of the merge requests closing the issue' do
expect(subject).to eq(2)
end
end
context 'when a user does not have permission to view the issue' do
subject { batch_sync { resolve_merge_requests_count(issue) } }
it 'raises an error' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
it 'returns the count of the merge requests closing the issue' do
expect(subject).to eq(2)
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment