- `edge_nodes` needs to get called on the object
- added `include GlobalID::Identification` in a couple places
- renamed `object` to `item` in spec due to conflict
- Due to https://github.com/exAspArk/batch-loader/pull/32,
we changed BatchLoader.for into BatchLoader::GraphQL.for
- since our results are wrapped in a BatchLoader::GraphQL,
calling `sync` during authorization is required to get real object
- `graphql` now has it's own authorization system. Our
`authorized?` method conflicted and required renaming
Adding new `AddAwardEmoji`, `RemoveAwardEmoji` and `ToggleAwardEmoji`
GraphQL mutations.
Adding new `#authorized_find_with_pre_checks!` and (unused, but for
completeness `#authorized_find_with_post_checks!`) authorization
methods. These allow us to perform an authorized find, and run our own
additional checks before or after the authorization runs.
https://gitlab.com/gitlab-org/gitlab-ce/issues/62826
Raise an exception if a developer calls any of the GraphQL authorization
methods and a `authorize :permission` is missing from a mutation class.
Previously `authorized?` would return `true` in this situation, which
although technically is accurate is not what a developer is intending.
This makes sure we also enforce authorizations for non-nullable
fields.
We are defining our authorizations on the unwrapped
types (Repository). But when a type like that is presented in a
non-nullable field, it's type is different (Repository!). The
non-nullable type would not have the authorization metadata.
This makes sure we check the metadata on the unwrapped type for
finding authorizations.
Enables authorizations to be defined on GraphQL Types.
module Types
class ProjectType < BaseObject
authorize :read_project
end
end
If a field has authorizations defined on it, and the return type of the
field also has authorizations defined on it. then all of the combined
permissions in the authorizations will be checked and must pass.
Connection fields are checked by "digging" to find the type class of the
"node" field in the expected location of edges->node.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54417
Previously GraphQL field authorization happened like this:
class ProjectType
field :my_field, MyFieldType do
authorize :permission
end
end
This change allowed us to authorize like this instead:
class ProjectType
field :my_field, MyFieldType, authorize: :permission
end
A new initializer registers the `authorize` metadata keyword on GraphQL
Schema Objects and Fields, and we can collect this data within the
context of Instrumentation like this:
field.metadata[:authorize]
The previous functionality of authorize is still being used for
mutations, as the #authorize method here is called at during the code
that executes during the mutation, rather than when a field resolves.
https://gitlab.com/gitlab-org/gitlab-ce/issues/57828
GitLab Bot
Brett Walker
Marin Jankovski
Marin Jankovski
Luke Duncalfe
Bob Van Landuyt
Lin Jen-Shin