disable changelog display w/o perms

michaeljguarino · michaeljguarino · commit 191c281084fa · 2022-12-09T20:00:19.000-05:00
diff --git a/lib/console/graphql/schema.ex b/lib/console/graphql/schema.ex
@@ -1,6 +1,7 @@
 defmodule Console.GraphQl.Schema do
   use Console.GraphQl.Schema.Base
   alias Console.Schema
+  alias Console.Middleware.{Rbac}
   alias Console.GraphQl.Resolvers.{Build, User}
 
   import_types Absinthe.Plug.Types
@@ -43,7 +44,10 @@ defmodule Console.GraphQl.Schema do
 
     field :creator,  :user, resolve: dataloader(User)
     field :approver, :user, resolve: dataloader(User)
-    field :changelogs, list_of(:changelog), resolve: dataloader(Build)
+    field :changelogs, list_of(:changelog) do
+      middleware Rbac, perm: :configure, field: :repository
+      resolve dataloader(Build)
+    end
 
     timestamps()
   end
diff --git a/test/console/graphql/queries/build_queries_test.exs b/test/console/graphql/queries/build_queries_test.exs
@@ -26,6 +26,8 @@ defmodule Console.GraphQl.BuildQueriesTest do
     test "It can sideload commands for a build" do
       build      = insert(:build)
       changelogs = insert_list(3, :changelog, build: build)
+      user = insert(:user)
+      setup_rbac(user, [build.repository], configure: true)
       commands   = for i <- 1..3,
         do: insert(:command, build: build, inserted_at: Timex.now() |> Timex.shift(days: -i))
       expected = commands |> Enum.map(& &1.id) |> Enum.reverse()
@@ -49,12 +51,48 @@ defmodule Console.GraphQl.BuildQueriesTest do
             }
           }
         }
-      """, %{"id" => build.id}, %{current_user: insert(:user)})
+      """, %{"id" => build.id}, %{current_user: user})
 
       assert found["id"] == build.id
       assert found["creator"]["id"] == build.creator_id
       assert ids_equal(found["changelogs"], changelogs)
       assert from_connection(found["commands"]) |> Enum.map(& &1["id"]) == expected
     end
+
+    test "users w/o perms cannot sideload changelogs" do
+      user = insert(:user)
+      build = insert(:build)
+      setup_rbac(user, ["other"], configure: true)
+      insert_list(3, :changelog, build: build)
+      commands   = for i <- 1..3,
+        do: insert(:command, build: build, inserted_at: Timex.now() |> Timex.shift(days: -i))
+      expected = commands |> Enum.map(& &1.id) |> Enum.reverse()
+
+      {:ok, %{data: %{"build" => found}, errors: [_ | _]}} = run_query("""
+        query Build($id: ID!) {
+          build(id: $id) {
+            id
+            creator {
+              id
+            }
+            changelogs {
+              id
+            }
+            commands(first: 10) {
+              edges {
+                node {
+                  id
+                }
+              }
+            }
+          }
+        }
+      """, %{"id" => build.id}, %{current_user: user})
+
+      assert found["id"] == build.id
+      assert found["creator"]["id"] == build.creator_id
+      refute found["changelogs"]
+      assert from_connection(found["commands"]) |> Enum.map(& &1["id"]) == expected
+    end
   end
 end
