Add API access check to Graphql
Check if user can access API on GraphqlController
This commit is contained in:
parent
b78aa81f32
commit
73b553a42a
|
@ -12,6 +12,7 @@ class GraphqlController < ApplicationController
|
|||
protect_from_forgery with: :null_session, only: :execute
|
||||
|
||||
before_action :check_graphql_feature_flag!
|
||||
before_action :authorize_access_api!
|
||||
before_action(only: [:execute]) { authenticate_sessionless_user!(:api) }
|
||||
|
||||
def execute
|
||||
|
@ -37,6 +38,10 @@ class GraphqlController < ApplicationController
|
|||
|
||||
private
|
||||
|
||||
def authorize_access_api!
|
||||
access_denied!("API not accessible for user.") unless can?(current_user, :access_api)
|
||||
end
|
||||
|
||||
# Overridden from the ApplicationController to make the response look like
|
||||
# a GraphQL response. That is nicely picked up in Graphiql.
|
||||
def render_404
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Add API access check to Graphql
|
||||
merge_request: 26570
|
||||
author:
|
||||
type: other
|
|
@ -0,0 +1,45 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
describe GraphqlController do
|
||||
before do
|
||||
stub_feature_flags(graphql: true)
|
||||
end
|
||||
|
||||
describe 'POST #execute' do
|
||||
context 'when user is logged in' do
|
||||
let(:user) { create(:user) }
|
||||
|
||||
before do
|
||||
sign_in(user)
|
||||
end
|
||||
|
||||
it 'returns 200 when user can access API' do
|
||||
post :execute
|
||||
|
||||
expect(response).to have_gitlab_http_status(200)
|
||||
end
|
||||
|
||||
it 'returns access denied template when user cannot access API' do
|
||||
# User cannot access API in a couple of cases
|
||||
# * When user is internal(like ghost users)
|
||||
# * When user is blocked
|
||||
expect(Ability).to receive(:allowed?).with(user, :access_api, :global).and_return(false)
|
||||
|
||||
post :execute
|
||||
|
||||
expect(response.status).to eq(403)
|
||||
expect(response).to render_template('errors/access_denied')
|
||||
end
|
||||
end
|
||||
|
||||
context 'when user is not logged in' do
|
||||
it 'returns 200' do
|
||||
post :execute
|
||||
|
||||
expect(response).to have_gitlab_http_status(200)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue