Merge branch 'eb-fix-environment-scopes-graphql-auth' into 'master'

Only allow group owners to query environment scopes See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127384 Merged-by: Roy Zwambag <rzwambag@gitlab.com> Approved-by: Michał Zając <mzajac@gitlab.com> Approved-by: Roy Zwambag <rzwambag@gitlab.com> Co-authored-by: Erick Bajao <fbajao@gitlab.com>

Merge branch 'eb-fix-environment-scopes-graphql-auth' into 'master'
Only allow group owners to query environment scopes See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127384 Merged-by: Roy Zwambag <rzwambag@gitlab.com> Approved-by: Michał Zając <mzajac@gitlab.com> Approved-by: Roy Zwambag <rzwambag@gitlab.com> Co-authored-by: Erick Bajao <fbajao@gitlab.com>
5afed5fa · Roy Zwambag · d8c1b8a2 · 98e59130 · 5afed5fa · 5afed5fa
--- a/app/graphql/types/group_type.rb
+++ b/app/graphql/types/group_type.rb
@@ -87,6 +87,7 @@ class GroupType < NamespaceType
          Types::Ci::GroupEnvironmentScopeType.connection_type,
          description: 'Environment scopes of the group.',
          null: true,
+          authorize: :admin_group,
          resolver: Resolvers::GroupEnvironmentScopesResolver

    field :milestones,

--- a/spec/graphql/types/group_type_spec.rb
+++ b/spec/graphql/types/group_type_spec.rb
@@ -26,7 +26,7 @@
      dependency_proxy_image_prefix dependency_proxy_image_ttl_policy
      shared_runners_setting timelogs organization_state_counts organizations
      contact_state_counts contacts work_item_types
-      recent_issue_boards ci_variables releases
+      recent_issue_boards ci_variables releases environment_scopes
    ]

    expect(described_class).to include_graphql_fields(*expected_fields)

--- a/spec/requests/api/graphql/ci/group_environment_scopes_spec.rb
+++ b/spec/requests/api/graphql/ci/group_environment_scopes_spec.rb
@@ -33,36 +33,55 @@
  end

  before do
-    group.add_developer(user)
    expected_environment_scopes.each_with_index do |env, index|
      create(:ci_group_variable, group: group, key: "var#{index + 1}", environment_scope: env)
    end
  end

-  context 'when query has no parameters' do
-    let(:environment_scopes_params) { "" }
+  context 'when the user can administer the group' do
+    before do
+      group.add_owner(user)
+    end

-    it 'returns all avaiable environment scopes' do
-      post_graphql(query, current_user: user)
+    context 'when query has no parameters' do
+      let(:environment_scopes_params) { "" }

-      expect(graphql_data.dig('group', 'environmentScopes', 'nodes')).to eq(
-        expected_environment_scopes.map { |env_scope| { 'name' => env_scope } }
-      )
+      it 'returns all avaiable environment scopes' do
+        post_graphql(query, current_user: user)
+
+        expect(graphql_data.dig('group', 'environmentScopes', 'nodes')).to eq(
+          expected_environment_scopes.map { |env_scope| { 'name' => env_scope } }
+        )
+      end
+    end
+
+    context 'when query has search parameters' do
+      let(:environment_scopes_params) { "(search: \"group1\")" }
+
+      it 'returns only environment scopes with group1 prefix' do
+        post_graphql(query, current_user: user)
+
+        expect(graphql_data.dig('group', 'environmentScopes', 'nodes')).to eq(
+          [
+            { 'name' => 'group1_environment1' },
+            { 'name' => 'group1_environment2' }
+          ]
+        )
+      end
    end
  end

-  context 'when query has search parameters' do
-    let(:environment_scopes_params) { "(search: \"group1\")" }
+  context 'when the user cannot administer the group' do
+    let(:environment_scopes_params) { "" }
+
+    before do
+      group.add_developer(user)
+    end

-    it 'returns only environment scopes with group1 prefix' do
+    it 'returns nothing' do
      post_graphql(query, current_user: user)

-      expect(graphql_data.dig('group', 'environmentScopes', 'nodes')).to eq(
-        [
-          { 'name' => 'group1_environment1' },
-          { 'name' => 'group1_environment2' }
-        ]
-      )
+      expect(graphql_data.dig('group', 'environmentScopes')).to be_nil
    end
  end
 end