Allow GraphQL Scalar-fields to be authorized

GraphQL Scalar fields (e.g., ones that return Strings, or Integers) currently throw an error when we apply our authorization.

To authorize these fields, the subject for the permission check needs to be different from when the field return type is a subclass of Types::BaseObject.

This works

When :my_field returns a MergeRequest:

class ProjectType
  field :my_field, Types::MergeRequestType, authorize: :some_permission
end

This doesn't work

When :my_field returns a String, this would throw an error as we end up checking Ability.allowed?(current_user, :some_permission, "a string"):

class ProjectType
  field :my_field, GraphQL::STRING_TYPE, authorize: :some_permission
end

What to do

In the above example, the intention of the code would be for :some_permission to be checked against the Project.

Our authorization class should check permissions defined on Scalar-type fields against the resolved value of the "parent" type, rather than the resolved value of the field.

This has come up in https://gitlab.com/gitlab-org/gitlab-ce/issues/55316#note_138938352 where the decision was made to remove the GraphQL Project fields that we cannot authorize until we're able to.

Edited Feb 18, 2019 by Luke Duncalfe