Fix graphql permission issues

Knerio · Knerio · commit 367a282b0cfe · 2025-11-15T21:26:00.000+01:00
diff --git a/app/graphql/types/query_type.rb b/app/graphql/types/query_type.rb
@@ -92,9 +92,7 @@ def user(id:)
     end
 
     def users
-      unless Ability.allowed?(current_authentication, :list_users, :global)
-        raise GraphQL::UnauthorizedError, 'You do not have permission to list all users'
-      end
+      return User.none unless Ability.allowed?(context[:current_authentication], :list_users, :global)
 
       User.all
     end
diff --git a/docs/graphql/object/query.md b/docs/graphql/object/query.md
@@ -68,3 +68,13 @@ Returns [`Organization`](../object/organization.md).
 |------|------|-------------|
 | `id` | [`OrganizationID`](../scalar/organizationid.md) | GlobalID of the target organization |
 | `name` | [`String`](../scalar/string.md) | Name of the target organization |
+
+### user
+
+Find a user
+
+Returns [`User`](../object/user.md).
+
+| Name | Type | Description |
+|------|------|-------------|
+| `id` | [`UserID!`](../scalar/userid.md) | GlobalID of the target user |
diff --git a/spec/requests/graphql/query/users_query_spec.rb b/spec/requests/graphql/query/users_query_spec.rb
@@ -5,8 +5,6 @@
 RSpec.describe 'users Query' do
   include GraphqlHelpers
 
-  subject(:query!) { post_graphql query, current_user: current_user }
-
   let(:query) do
     <<~QUERY
       query {
@@ -20,56 +18,35 @@
     QUERY
   end
 
-  let!(:user1) { create(:user) }
-  let!(:user2) { create(:user) }
-  let!(:user3) { create(:user) }
+  before do
+    create(:user)
+    create(:user)
+    create(:user)
+
+    post_graphql query, current_user: current_user
+  end
 
   context 'when anonymous' do
     let(:current_user) { nil }
 
     it 'returns an error' do
-      query!
-
-      expect(graphql_errors).to include(
-        a_hash_including(
-          'message' => 'You do not have permission to list all users'
-        )
-      )
+      expect(graphql_data_at(:users, :nodes)).to be_empty
     end
   end
 
   context 'when logged in as regular user' do
     let(:current_user) { create(:user) }
 
     it 'returns an error' do
-      query!
-
-      expect(graphql_errors).to include(
-        a_hash_including(
-          'message' => 'You do not have permission to list all users'
-        )
-      )
+      expect(graphql_data_at(:users, :nodes)).to be_empty
     end
   end
 
   context 'when logged in as admin user' do
     let(:current_user) { create(:user, :admin) }
 
     it 'returns all users' do
-      query!
-
-      expect(graphql_data_at(:users, :nodes)).to contain_exactly(
-        a_graphql_entity_for(user1),
-        a_graphql_entity_for(user2),
-        a_graphql_entity_for(user3),
-        a_graphql_entity_for(current_user)
-      )
-    end
-
-    it 'does not return errors' do
-      query!
-
-      expect(graphql_errors).to be_nil
+      expect(graphql_data_at(:users, :nodes)).to have_attributes(length: 4)
     end
   end
 end
