Allow GraphQL Scalar-fields to be authorized
GraphQL Scalar fields (e.g., ones that return Strings, or Integers) currently throw an error when we apply our authorization.
To authorize these fields, the subject for the permission check needs to be different from when the field return type is a subclass of Types::BaseObject
.
This works
When :my_field
returns a MergeRequest
:
class ProjectType
field :my_field, Types::MergeRequestType, authorize: :some_permission
end
This doesn't work
When :my_field
returns a String
, this would throw an error as we end up checking Ability.allowed?(current_user, :some_permission, "a string")
:
class ProjectType
field :my_field, GraphQL::STRING_TYPE, authorize: :some_permission
end
What to do
In the above example, the intention of the code would be for :some_permission
to be checked against the Project
.
Our authorization class should check permissions defined on Scalar-type fields against the resolved value of the "parent" type, rather than the resolved value of the field.
This has come up in https://gitlab.com/gitlab-org/gitlab-ce/issues/55316#note_138938352 where the decision was made to remove the GraphQL Project fields that we cannot authorize until we're able to.