Only allow group owners to query environment scopes

This prevents environment scopes to be queried by non-group-owners through GraphQL. Changelog: fixed

Only allow group owners to query environment scopes
98e59130 · Erick Bajao · 75a10d45 · 98e59130 · 98e59130 · 98e59130
--- a/app/graphql/types/group_type.rb
+++ b/app/graphql/types/group_type.rb
@@ -87,6 +87,7 @@ class GroupType < NamespaceType
          Types::Ci::GroupEnvironmentScopeType.connection_type,
          description: 'Environment scopes of the group.',
          null: true,
+          authorize: :admin_group,
          resolver: Resolvers::GroupEnvironmentScopesResolver
    field :milestones,

--- a/spec/graphql/types/group_type_spec.rb
+++ b/spec/graphql/types/group_type_spec.rb
@@ -26,7 +26,7 @@
      dependency_proxy_image_prefix dependency_proxy_image_ttl_policy
      shared_runners_setting timelogs organization_state_counts organizations
      contact_state_counts contacts work_item_types
-      recent_issue_boards ci_variables releases
+      recent_issue_boards ci_variables releases environment_scopes
    ]
    expect(described_class).to include_graphql_fields(*expected_fields)

--- a/spec/requests/api/graphql/ci/group_environment_scopes_spec.rb
+++ b/spec/requests/api/graphql/ci/group_environment_scopes_spec.rb
@@ -33,36 +33,55 @@
  end
  before do
-    group.add_developer(user)
    expected_environment_scopes.each_with_index do |env, index|
      create(:ci_group_variable, group: group, key: "var#{index + 1}", environment_scope: env)
    end
  end
-  context 'when query has no parameters' do
+  context 'when the user can administer the group' do
-    let(:environment_scopes_params) { "" }
+    before do
+      group.add_owner(user)
+    end
-    it 'returns all avaiable environment scopes' do
+    context 'when query has no parameters' do
-      post_graphql(query, current_user: user)
+      let(:environment_scopes_params) { "" }
-      expect(graphql_data.dig('group', 'environmentScopes', 'nodes')).to eq(
+      it 'returns all avaiable environment scopes' do
-        expected_environment_scopes.map { |env_scope| { 'name' => env_scope } }
+        post_graphql(query, current_user: user)
-      )
+        expect(graphql_data.dig('group', 'environmentScopes', 'nodes')).to eq(
+          expected_environment_scopes.map { |env_scope| { 'name' => env_scope } }
+        )
+      end
+    end
+    context 'when query has search parameters' do
+      let(:environment_scopes_params) { "(search: \"group1\")" }
+      it 'returns only environment scopes with group1 prefix' do
+        post_graphql(query, current_user: user)
+        expect(graphql_data.dig('group', 'environmentScopes', 'nodes')).to eq(
+          [
+            { 'name' => 'group1_environment1' },
+            { 'name' => 'group1_environment2' }
+          ]
+        )
+      end
    end
  end
-  context 'when query has search parameters' do
+  context 'when the user cannot administer the group' do
-    let(:environment_scopes_params) { "(search: \"group1\")" }
+    let(:environment_scopes_params) { "" }
+    before do
+      group.add_developer(user)
+    end
-    it 'returns only environment scopes with group1 prefix' do
+    it 'returns nothing' do
      post_graphql(query, current_user: user)
-      expect(graphql_data.dig('group', 'environmentScopes', 'nodes')).to eq(
+      expect(graphql_data.dig('group', 'environmentScopes')).to be_nil
-        [
-          { 'name' => 'group1_environment1' },
-          { 'name' => 'group1_environment2' }
-        ]
-      )
    end
  end
 end