diff --git a/app/graphql/types/timelog_type.rb b/app/graphql/types/timelog_type.rb
index c3fb9b779275ba94f780a32ef262967f94dc2507..3856e1aa3b357b43ecab0a8beaf64dd32fc54b82 100644
--- a/app/graphql/types/timelog_type.rb
+++ b/app/graphql/types/timelog_type.rb
@@ -4,7 +4,7 @@ module Types
class TimelogType < BaseObject
graphql_name 'Timelog'
- authorize :read_issue
+ authorize :read_issuable
expose_permissions Types::PermissionTypes::Timelog
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index 3c5e1020c8a0fe38cdd8b9f10667e45918216cbb..e5913bab7268d38f98cd0dc9e10dc1e0e7993c14 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -5,6 +5,7 @@ class IssuablePolicy < BasePolicy
condition(:locked, scope: :subject, score: 0) { @subject.discussion_locked? }
condition(:is_project_member) { @user && @subject.project && @subject.project.team.member?(@user) }
+ condition(:can_read_issuable) { can?(:"read_#{@subject.to_ability_name}") }
desc "User is the assignee or author"
condition(:assignee_or_author) do
@@ -48,6 +49,10 @@ class IssuablePolicy < BasePolicy
rule { can?(:reporter_access) }.policy do
enable :create_timelog
end
+
+ rule { can_read_issuable }.policy do
+ enable :read_issuable
+ end
end
IssuablePolicy.prepend_mod_with('IssuablePolicy')
diff --git a/spec/graphql/types/timelog_type_spec.rb b/spec/graphql/types/timelog_type_spec.rb
index c897a25d10dfc900c30c4906651a3f0662393569..3a26ba89e04d71bd43acf585e5fb0f27b4554411 100644
--- a/spec/graphql/types/timelog_type_spec.rb
+++ b/spec/graphql/types/timelog_type_spec.rb
@@ -7,7 +7,7 @@
it { expect(described_class.graphql_name).to eq('Timelog') }
it { expect(described_class).to have_graphql_fields(fields) }
- it { expect(described_class).to require_graphql_authorizations(:read_issue) }
+ it { expect(described_class).to require_graphql_authorizations(:read_issuable) }
it { expect(described_class).to expose_permissions_using(Types::PermissionTypes::Timelog) }
describe 'user field' do
diff --git a/spec/policies/issuable_policy_spec.rb b/spec/policies/issuable_policy_spec.rb
index 706570babd58ee10de876d4ac0a58719c397a1e6..fd7ec5917d698bd921a56aba6dd9d094f5b8da32 100644
--- a/spec/policies/issuable_policy_spec.rb
+++ b/spec/policies/issuable_policy_spec.rb
@@ -18,8 +18,8 @@
project.add_reporter(reporter)
end
- def permissions(user, issue)
- described_class.new(user, issue)
+ def permissions(user, issuable)
+ described_class.new(user, issuable)
end
describe '#rules' do
@@ -153,5 +153,55 @@ def permissions(user, issue)
expect(permissions(reporter, issue)).to be_allowed(:create_timelog)
end
end
+
+ context 'when subject is a Merge Request' do
+ let(:issuable) { create(:merge_request) }
+ let(:policy) { permissions(user, issuable) }
+
+ before do
+ allow(policy).to receive(:can?).with(:read_merge_request).and_return(can_read_merge_request)
+ end
+
+ context 'when can_read_merge_request is false' do
+ let(:can_read_merge_request) { false }
+
+ it 'does not allow :read_issuable' do
+ expect(policy).not_to be_allowed(:read_issuable)
+ end
+ end
+
+ context 'when can_read_merge_request is true' do
+ let(:can_read_merge_request) { true }
+
+ it 'allows :read_issuable' do
+ expect(policy).to be_allowed(:read_issuable)
+ end
+ end
+ end
+
+ context 'when subject is an Issue' do
+ let(:issuable) { create(:issue) }
+ let(:policy) { permissions(user, issuable) }
+
+ before do
+ allow(policy).to receive(:can?).with(:read_issue).and_return(can_read_issue)
+ end
+
+ context 'when can_read_issue is false' do
+ let(:can_read_issue) { false }
+
+ it 'does not allow :read_issuable' do
+ expect(policy).not_to be_allowed(:read_issuable)
+ end
+ end
+
+ context 'when can_read_issue is true' do
+ let(:can_read_issue) { true }
+
+ it 'allows :read_issuable' do
+ expect(policy).to be_allowed(:read_issuable)
+ end
+ end
+ end
end
end