Streaming destinations should not be created for subgroups via API
Current behavior
Our GraphQL API currently allows for destinations for audit events at the subgroup-level.
def resolve(destination_url:, group_path:)
group = authorized_find!(group_path)
destination = ::AuditEvents::ExternalAuditEventDestination.new(group: group, destination_url: destination_url)
audit(destination, action: :create) if destination.save
{ external_audit_event_destination: (destination if destination.persisted?), errors: Array(destination.errors) }
end
private
def find_object(group_path)
::Group.find_by_full_path(group_path)
end
Expected behavior
Destinations should only be allowed to be set up at the root group-level.
Technical implementation
Attempting to create a destination on a subgroup should return a 400 Bad Request error.
Edited by Max Woolf