Skip to content
代码片段 群组 项目
提交 98e59130 编辑于 作者: Erick Bajao's avatar Erick Bajao
浏览文件

Only allow group owners to query environment scopes

This prevents environment scopes to be queried by
non-group-owners through GraphQL.

Changelog: fixed
上级 75a10d45
No related branches found
No related tags found
无相关合并请求
...@@ -87,6 +87,7 @@ class GroupType < NamespaceType ...@@ -87,6 +87,7 @@ class GroupType < NamespaceType
Types::Ci::GroupEnvironmentScopeType.connection_type, Types::Ci::GroupEnvironmentScopeType.connection_type,
description: 'Environment scopes of the group.', description: 'Environment scopes of the group.',
null: true, null: true,
authorize: :admin_group,
resolver: Resolvers::GroupEnvironmentScopesResolver resolver: Resolvers::GroupEnvironmentScopesResolver
field :milestones, field :milestones,
......
...@@ -26,7 +26,7 @@ ...@@ -26,7 +26,7 @@
dependency_proxy_image_prefix dependency_proxy_image_ttl_policy dependency_proxy_image_prefix dependency_proxy_image_ttl_policy
shared_runners_setting timelogs organization_state_counts organizations shared_runners_setting timelogs organization_state_counts organizations
contact_state_counts contacts work_item_types contact_state_counts contacts work_item_types
recent_issue_boards ci_variables releases recent_issue_boards ci_variables releases environment_scopes
] ]
expect(described_class).to include_graphql_fields(*expected_fields) expect(described_class).to include_graphql_fields(*expected_fields)
......
...@@ -33,36 +33,55 @@ ...@@ -33,36 +33,55 @@
end end
before do before do
group.add_developer(user)
expected_environment_scopes.each_with_index do |env, index| expected_environment_scopes.each_with_index do |env, index|
create(:ci_group_variable, group: group, key: "var#{index + 1}", environment_scope: env) create(:ci_group_variable, group: group, key: "var#{index + 1}", environment_scope: env)
end end
end end
context 'when query has no parameters' do context 'when the user can administer the group' do
let(:environment_scopes_params) { "" } before do
group.add_owner(user)
end
it 'returns all avaiable environment scopes' do context 'when query has no parameters' do
post_graphql(query, current_user: user) let(:environment_scopes_params) { "" }
expect(graphql_data.dig('group', 'environmentScopes', 'nodes')).to eq( it 'returns all avaiable environment scopes' do
expected_environment_scopes.map { |env_scope| { 'name' => env_scope } } post_graphql(query, current_user: user)
)
expect(graphql_data.dig('group', 'environmentScopes', 'nodes')).to eq(
expected_environment_scopes.map { |env_scope| { 'name' => env_scope } }
)
end
end
context 'when query has search parameters' do
let(:environment_scopes_params) { "(search: \"group1\")" }
it 'returns only environment scopes with group1 prefix' do
post_graphql(query, current_user: user)
expect(graphql_data.dig('group', 'environmentScopes', 'nodes')).to eq(
[
{ 'name' => 'group1_environment1' },
{ 'name' => 'group1_environment2' }
]
)
end
end end
end end
context 'when query has search parameters' do context 'when the user cannot administer the group' do
let(:environment_scopes_params) { "(search: \"group1\")" } let(:environment_scopes_params) { "" }
before do
group.add_developer(user)
end
it 'returns only environment scopes with group1 prefix' do it 'returns nothing' do
post_graphql(query, current_user: user) post_graphql(query, current_user: user)
expect(graphql_data.dig('group', 'environmentScopes', 'nodes')).to eq( expect(graphql_data.dig('group', 'environmentScopes')).to be_nil
[
{ 'name' => 'group1_environment1' },
{ 'name' => 'group1_environment2' }
]
)
end end
end end
end end
0% 加载中 .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册