Fix timelog type policy check

Changelog: fixed

Fix timelog type policy check
cb871760 · Lee Tickett · 8ff1f22d · cb871760 · cb871760 · cb871760
--- a/app/graphql/types/timelog_type.rb
+++ b/app/graphql/types/timelog_type.rb
@@ -4,7 +4,7 @@ module Types
  class TimelogType < BaseObject
    graphql_name 'Timelog'

-    authorize :read_issue
+    authorize :read_issuable

    expose_permissions Types::PermissionTypes::Timelog


--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -5,6 +5,7 @@ class IssuablePolicy < BasePolicy

  condition(:locked, scope: :subject, score: 0) { @subject.discussion_locked? }
  condition(:is_project_member) { @user && @subject.project && @subject.project.team.member?(@user) }
+  condition(:can_read_issuable) { can?(:"read_#{@subject.to_ability_name}") }

  desc "User is the assignee or author"
  condition(:assignee_or_author) do
@@ -48,6 +49,10 @@ class IssuablePolicy < BasePolicy
  rule { can?(:reporter_access) }.policy do
    enable :create_timelog
  end
+
+  rule { can_read_issuable }.policy do
+    enable :read_issuable
+  end
 end

 IssuablePolicy.prepend_mod_with('IssuablePolicy')
--- a/spec/graphql/types/timelog_type_spec.rb
+++ b/spec/graphql/types/timelog_type_spec.rb
@@ -7,7 +7,7 @@

  it { expect(described_class.graphql_name).to eq('Timelog') }
  it { expect(described_class).to have_graphql_fields(fields) }
-  it { expect(described_class).to require_graphql_authorizations(:read_issue) }
+  it { expect(described_class).to require_graphql_authorizations(:read_issuable) }
  it { expect(described_class).to expose_permissions_using(Types::PermissionTypes::Timelog) }

  describe 'user field' do

--- a/spec/policies/issuable_policy_spec.rb
+++ b/spec/policies/issuable_policy_spec.rb
@@ -18,8 +18,8 @@
    project.add_reporter(reporter)
  end

-  def permissions(user, issue)
-    described_class.new(user, issue)
+  def permissions(user, issuable)
+    described_class.new(user, issuable)
  end

  describe '#rules' do
@@ -153,5 +153,55 @@ def permissions(user, issue)
        expect(permissions(reporter, issue)).to be_allowed(:create_timelog)
      end
    end
+
+    context 'when subject is a Merge Request' do
+      let(:issuable) { create(:merge_request) }
+      let(:policy) { permissions(user, issuable) }
+
+      before do
+        allow(policy).to receive(:can?).with(:read_merge_request).and_return(can_read_merge_request)
+      end
+
+      context 'when can_read_merge_request is false' do
+        let(:can_read_merge_request) { false }
+
+        it 'does not allow :read_issuable' do
+          expect(policy).not_to be_allowed(:read_issuable)
+        end
+      end
+
+      context 'when can_read_merge_request is true' do
+        let(:can_read_merge_request) { true }
+
+        it 'allows :read_issuable' do
+          expect(policy).to be_allowed(:read_issuable)
+        end
+      end
+    end
+
+    context 'when subject is an Issue' do
+      let(:issuable) { create(:issue) }
+      let(:policy) { permissions(user, issuable) }
+
+      before do
+        allow(policy).to receive(:can?).with(:read_issue).and_return(can_read_issue)
+      end
+
+      context 'when can_read_issue is false' do
+        let(:can_read_issue) { false }
+
+        it 'does not allow :read_issuable' do
+          expect(policy).not_to be_allowed(:read_issuable)
+        end
+      end
+
+      context 'when can_read_issue is true' do
+        let(:can_read_issue) { true }
+
+        it 'allows :read_issuable' do
+          expect(policy).to be_allowed(:read_issuable)
+        end
+      end
+    end
  end
 end