Check authorization to view billableMembersCount

In our GrahpQL GroupType we should only return the billable member type
for users who are authorized to view it (group owners)

Changelog: fixed
EE: true

ee/app/graphql/ee/types/group_type.rb

@@ -85,6 +85,7 @@ module GroupType
 
         field :billable_members_count, ::GraphQL::Types::Int,
               null: true,
+              authorize: :owner_access,
               description: 'Number of billable users in the group.' do
                 argument :requested_hosted_plan, String, required: false, description: 'Plan from which to get billable members.'
               end

ee/spec/graphql/ee/types/group_type_spec.rb

@@ -69,20 +69,15 @@
   describe 'billable members count' do
     let_it_be(:group) { create(:group) }
     let_it_be(:project) { create(:project, namespace: group) }
-    let_it_be(:user1) { create(:user) }
-    let_it_be(:user2) { create(:user) }
-    let_it_be(:user3) { create(:user) }
-    let_it_be(:user4) { create(:user) }
-
-    before do
-      group.add_developer(user1)
-      group.add_guest(user2)
-      project.add_developer(user3)
-      project.add_guest(user4)
-    end
-
-    it "returns billable users count including guests when no plan is provided" do
-      query = <<~GQL
+    let_it_be(:group_owner) { create(:user) }
+    let_it_be(:group_developer) { create(:user) }
+    let_it_be(:group_guest) { create(:user) }
+    let_it_be(:project_developer) { create(:user) }
+    let_it_be(:project_guest) { create(:user) }
+
+    let(:current_user) { group_owner }
+    let(:query) do
+      <<~GQL
         query {
           group(fullPath: "#{group.full_path}") {
             id,
@@ -90,46 +85,63 @@
           }
         }
       GQL
+    end
 
-      result = GitlabSchema.execute(query, context: { current_user: user1 }).as_json
+    before do
+      group.add_owner(group_owner)
+      group.add_developer(group_developer)
+      group.add_guest(group_guest)
+      project.add_developer(project_developer)
+      project.add_guest(project_guest)
+    end
 
-      billable_members_count = result.dig('data', 'group', 'billableMembersCount')
+    subject(:billable_members_count) do
+      result = GitlabSchema.execute(query, context: { current_user: current_user }).as_json
 
-      expect(billable_members_count).to eq(4)
+      result.dig('data', 'group', 'billableMembersCount')
     end
 
-    it "returns billable users count including guests when a plan that should include guests is provided" do
-      query = <<~GQL
-        query {
-          group(fullPath: "#{group.full_path}") {
-            id,
-            billableMembersCount(requestedHostedPlan: "#{::Plan::SILVER}")
-          }
-        }
-      GQL
+    context 'when no plan is provided' do
+      it 'returns billable users count including guests' do
+        expect(billable_members_count).to eq(5)
+      end
+    end
 
-      result = GitlabSchema.execute(query, context: { current_user: user1 }).as_json
+    context 'when a plan is provided' do
+      let(:query) do
+        <<~GQL
+          query {
+            group(fullPath: "#{group.full_path}") {
+              id,
+              billableMembersCount(requestedHostedPlan: "#{plan}")
+            }
+          }
+        GQL
+      end
 
-      billable_members_count = result.dig('data', 'group', 'billableMembersCount')
+      context 'with a plan that should include guests is provided' do
+        let(:plan) { ::Plan::SILVER }
 
-      expect(billable_members_count).to eq(4)
-    end
+        it 'returns billable users count including guests' do
+          expect(billable_members_count).to eq(5)
+        end
+      end
 
-    it "returns billable users count excluding guests when a plan that should exclude guests is provided" do
-      query = <<~GQL
-        query {
-          group(fullPath: "#{group.full_path}") {
-            id,
-            billableMembersCount(requestedHostedPlan: "#{::Plan::ULTIMATE}")
-          }
-        }
-      GQL
+      context 'with a plan that should exclude guests is provided' do
+        let(:plan) { ::Plan::ULTIMATE }
 
-      result = GitlabSchema.execute(query, context: { current_user: user1 }).as_json
+        it 'returns billable users count excluding guests when a plan that should exclude guests is provided' do
+          expect(billable_members_count).to eq(3)
+        end
+      end
+    end
 
-      billable_members_count = result.dig('data', 'group', 'billableMembersCount')
+    context 'without owner authorization' do
+      let(:current_user) { group_developer }
 
-      expect(billable_members_count).to eq(2)
+      it 'does not return the billable members count' do
+        expect(billable_members_count).to be_nil
+      end
     end
   end