Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
6643b92b
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
6643b92b
编写于
3月 20, 2019
作者:
B
Brett Walker
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Use parent object when authorizing scalar types
上级
702f1826
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
138 addition
and
41 deletion
+138
-41
lib/gitlab/graphql/authorize/authorize_field_service.rb
lib/gitlab/graphql/authorize/authorize_field_service.rb
+21
-10
spec/graphql/features/authorization_spec.rb
spec/graphql/features/authorization_spec.rb
+53
-0
spec/lib/gitlab/graphql/authorize/authorize_field_service_spec.rb
.../gitlab/graphql/authorize/authorize_field_service_spec.rb
+64
-31
未找到文件。
lib/gitlab/graphql/authorize/authorize_field_service.rb
浏览文件 @
6643b92b
...
...
@@ -14,9 +14,10 @@ module Gitlab
end
def
authorized_resolve
proc
do
|
obj
,
args
,
ctx
|
resolved_obj
=
@old_resolve_proc
.
call
(
obj
,
args
,
ctx
)
checker
=
build_checker
(
ctx
[
:current_user
])
proc
do
|
parent_typed_object
,
args
,
ctx
|
resolved_obj
=
@old_resolve_proc
.
call
(
parent_typed_object
,
args
,
ctx
)
authorizing_obj
=
authorize_against
(
parent_typed_object
)
checker
=
build_checker
(
ctx
[
:current_user
],
authorizing_obj
)
if
resolved_obj
.
respond_to?
(
:then
)
resolved_obj
.
then
(
&
checker
)
...
...
@@ -51,22 +52,28 @@ module Gitlab
Array
.
wrap
(
@field
.
metadata
[
:authorize
])
end
def
build_checker
(
current_user
)
lambda
do
|
value
|
# If it's a built-in/scalar type, authorize using its parent object.
# nil means authorize using the resolved object
def
authorize_against
(
parent_typed_object
)
parent_typed_object
.
object
if
built_in_type?
&&
parent_typed_object
.
respond_to?
(
:object
)
end
def
build_checker
(
current_user
,
authorizing_obj
)
lambda
do
|
resolved_obj
|
# Load the elements if they were not loaded by BatchLoader yet
value
=
value
.
sync
if
value
.
respond_to?
(
:sync
)
resolved_obj
=
resolved_obj
.
sync
if
resolved_obj
.
respond_to?
(
:sync
)
check
=
lambda
do
|
object
|
authorizations
.
all?
do
|
ability
|
Ability
.
allowed?
(
current_user
,
ability
,
object
)
Ability
.
allowed?
(
current_user
,
ability
,
authorizing_obj
||
object
)
end
end
case
value
case
resolved_obj
when
Array
,
ActiveRecord
::
Relation
value
.
select
(
&
check
)
resolved_obj
.
select
(
&
check
)
else
value
if
check
.
call
(
value
)
resolved_obj
if
check
.
call
(
resolved_obj
)
end
end
end
...
...
@@ -88,6 +95,10 @@ module Gitlab
def
node_type_for_basic_connection
(
type
)
type
.
unwrap
end
def
built_in_type?
GraphQL
::
Schema
::
BUILT_IN_TYPES
.
has_value?
(
node_type_for_basic_connection
(
@field
.
type
))
end
end
end
end
...
...
spec/graphql/features/authorization_spec.rb
浏览文件 @
6643b92b
...
...
@@ -75,6 +75,59 @@ describe 'Gitlab::Graphql::Authorization' do
end
end
describe
'Field authorizations when field is a built in type'
do
let
(
:query_type
)
do
query_factory
do
|
query
|
query
.
field
:object
,
type
,
null:
true
,
resolve:
->
(
obj
,
args
,
ctx
)
{
test_object
}
end
end
describe
'with a single permission'
do
let
(
:type
)
do
type_factory
do
|
type
|
type
.
field
:name
,
GraphQL
::
STRING_TYPE
,
null:
true
,
authorize:
permission_single
end
end
it
'returns the protected field when user has permission'
do
permit
(
permission_single
)
expect
(
subject
).
to
eq
(
'name'
=>
test_object
.
name
)
end
it
'returns nil when user is not authorized'
do
expect
(
subject
).
to
eq
(
'name'
=>
nil
)
end
end
describe
'with a collection of permissions'
do
let
(
:type
)
do
permissions
=
permission_collection
type_factory
do
|
type
|
type
.
field
:name
,
GraphQL
::
STRING_TYPE
,
null:
true
do
authorize
permissions
end
end
end
it
'returns the protected field when user has all permissions'
do
permit
(
*
permission_collection
)
expect
(
subject
).
to
eq
(
'name'
=>
test_object
.
name
)
end
it
'returns nil when user only has one of the permissions'
do
permit
(
permission_collection
.
first
)
expect
(
subject
).
to
eq
(
'name'
=>
nil
)
end
it
'returns nil when user only has none of the permissions'
do
expect
(
subject
).
to
eq
(
'name'
=>
nil
)
end
end
end
describe
'Type authorizations'
do
let
(
:query_type
)
do
query_factory
do
|
query
|
...
...
spec/lib/gitlab/graphql/authorize/authorize_field_service_spec.rb
浏览文件 @
6643b92b
...
...
@@ -9,55 +9,88 @@ describe Gitlab::Graphql::Authorize::AuthorizeFieldService do
let
(
:current_user
)
{
double
(
:current_user
)
}
let
(
:abilities
)
{
[
double
(
:first_ability
),
double
(
:last_ability
)]
}
let
(
:checker
)
do
service
=
described_class
.
new
(
double
(
resolve_proc:
proc
{}))
allow
(
service
).
to
receive
(
:authorizations
).
and_return
(
abilities
)
service
.
__send__
(
:build_checker
,
current_user
)
end
context
'when authorizing against the object'
do
let
(
:checker
)
do
service
=
described_class
.
new
(
double
(
resolve_proc:
proc
{}))
allow
(
service
).
to
receive
(
:authorizations
).
and_return
(
abilities
)
service
.
__send__
(
:build_checker
,
current_user
,
nil
)
end
it
'returns a checker which checks for a single object'
do
object
=
double
(
:object
)
it
'returns a checker which checks for a single object'
do
object
=
double
(
:object
)
abilities
.
each
do
|
ability
|
spy_ability_check_for
(
ability
,
object
,
passed:
true
)
end
abilities
.
each
do
|
ability
|
spy_ability_check_for
(
ability
,
object
,
passed:
true
)
end
expect
(
checker
.
call
(
object
)).
to
eq
(
object
)
end
expect
(
checker
.
call
(
object
)).
to
eq
(
object
)
end
it
'returns a checker which checks for all objects'
do
objects
=
[
double
(
:first
),
double
(
:last
)]
it
'returns a checker which checks for all objects'
do
objects
=
[
double
(
:first
),
double
(
:last
)]
abilities
.
each
do
|
ability
|
objects
.
each
do
|
object
|
spy_ability_check_for
(
ability
,
object
,
passed:
true
)
abilities
.
each
do
|
ability
|
objects
.
each
do
|
object
|
spy_ability_check_for
(
ability
,
object
,
passed:
true
)
end
end
expect
(
checker
.
call
(
objects
)).
to
eq
(
objects
)
end
expect
(
checker
.
call
(
objects
)).
to
eq
(
objects
)
end
context
'when some objects would not pass the check'
do
it
'returns nil when it is single object'
do
disallowed
=
double
(
:object
)
spy_ability_check_for
(
abilities
.
first
,
disallowed
,
passed:
false
)
context
'when some objects would not pass the check'
do
it
'returns nil when it is single object'
do
disallowed
=
double
(
:object
)
expect
(
checker
.
call
(
disallowed
)).
to
be_nil
end
it
'returns only objects which passed when there are more than one'
do
allowed
=
double
(
:allowed
)
disallowed
=
double
(
:disallowed
)
spy_ability_check_for
(
abilities
.
first
,
disallowed
,
passed:
false
)
spy_ability_check_for
(
abilities
.
first
,
disallowed
,
passed:
false
)
expect
(
checker
.
call
(
disallowed
)).
to
be_nil
abilities
.
each
do
|
ability
|
spy_ability_check_for
(
ability
,
allowed
,
passed:
true
)
end
expect
(
checker
.
call
([
disallowed
,
allowed
])).
to
contain_exactly
(
allowed
)
end
end
end
context
'when authorizing against another object'
do
let
(
:authorizing_obj
)
{
double
(
:object
)
}
it
'returns only objects which passed when there are more than one'
do
allowed
=
double
(
:allowed
)
disallowed
=
double
(
:disallowed
)
let
(
:checker
)
do
service
=
described_class
.
new
(
double
(
resolve_proc:
proc
{}))
allow
(
service
).
to
receive
(
:authorizations
).
and_return
(
abilities
)
service
.
__send__
(
:build_checker
,
current_user
,
authorizing_obj
)
end
it
'returns a checker which checks for a single object'
do
object
=
double
(
:object
)
abilities
.
each
do
|
ability
|
spy_ability_check_for
(
ability
,
authorizing_obj
,
passed:
true
)
end
expect
(
checker
.
call
(
object
)).
to
eq
(
object
)
end
spy_ability_check_for
(
abilities
.
first
,
disallowed
,
passed:
false
)
it
'returns a checker which checks for all objects'
do
objects
=
[
double
(
:first
),
double
(
:last
)]
abilities
.
each
do
|
ability
|
spy_ability_check_for
(
ability
,
allowed
,
passed:
true
)
objects
.
each
do
|
object
|
spy_ability_check_for
(
ability
,
authorizing_obj
,
passed:
true
)
end
end
expect
(
checker
.
call
([
disallowed
,
allowed
]))
.
to
contain_exactly
(
allowed
)
expect
(
checker
.
call
(
objects
)).
to
eq
(
objects
)
end
end
end
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录