NoMethodError in Subscriptions::User::MergeRequestUpdated when current_user is nil
Summary
Sentry error: https://new-sentry.gitlab.net/organizations/gitlab/issues/1722157
A NoMethodError is occurring in the Subscriptions::User::MergeRequestUpdated GraphQL subscription when attempting to call id on a nil current_user.
Error Details
NoMethodError: undefined method `id' for nil:NilClass (NoMethodError)
unauthorized! unless user && current_user.id == user.id
^^^Location: app/graphql/subscriptions/user/merge_request_updated.rb:17 in authorized? method
Backtrace
NoMethodError: undefined method `id' for nil:NilClass (NoMethodError)
unauthorized! unless user && current_user.id == user.id
^^^
from app/graphql/subscriptions/user/merge_request_updated.rb:17:in `authorized?'
from graphql/schema/resolver.rb:89:in `block (2 levels) in resolve_with_support'
from graphql/schema.rb:1647:in `after_lazy'
from graphql/query.rb:30:in `after_lazy'
from graphql/schema/resolver.rb:84:in `block in resolve_with_support'
from graphql/schema.rb:1647:in `after_lazy'
from graphql/query.rb:30:in `after_lazy'
from graphql/schema/resolver.rb:72:in `resolve_with_support'
from graphql/schema/subscription.rb:41:in `block in resolve_with_support'
from graphql/schema/subscription.rb:40:in `catch'
from graphql/schema/subscription.rb:40:in `resolve_with_support'
from graphql/schema/field.rb:758:in `public_send'
from graphql/schema/field.rb:758:in `block (2 levels) in resolve'
from graphql/schema/field.rb:903:in `block in with_extensions'
from graphql/schema/field.rb:939:in `block (2 levels) in run_extensions_before_resolve'
from graphql/schema/field.rb:939:in `block (2 levels) in run_extensions_before_resolve'
from graphql/schema/field.rb:939:in `block (2 levels) in run_extensions_before_resolve'
from graphql/schema/field.rb:942:in `run_extensions_before_resolve'
from graphql/schema/field.rb:939:in `block in run_extensions_before_resolve'
from graphql/subscriptions/default_subscription_resolve_extension.rb:16:in `resolve'
from graphql/schema/field.rb:926:in `run_extensions_before_resolve'
from graphql/schema/field.rb:939:in `block in run_extensions_before_resolve'
from graphql/schema/field_extension.rb:134:in `resolve'
from graphql/schema/field.rb:926:in `run_extensions_before_resolve'
from graphql/schema/field.rb:939:in `block in run_extensions_before_resolve'
from lib/gitlab/graphql/present/field_extension.rb:18:in `resolve'
from graphql/schema/field.rb:926:in `run_extensions_before_resolve'
from graphql/schema/field.rb:898:in `with_extensions'
from graphql/schema/field.rb:729:in `block in resolve'
from graphql/schema.rb:1647:in `after_lazy'
from graphql/query.rb:30:in `after_lazy'
from graphql/schema/field.rb:727:in `resolve'Root Cause
The authorization check is attempting to access current_user.id without first verifying that current_user is not nil. The condition uses && to check if user exists, but doesn't apply the same check to current_user before calling .id on it.
Suggested Fix
The authorization logic should check if current_user exists before attempting to access its id method:
unauthorized! unless user && current_user && current_user.id == user.idEdited by 🤖 GitLab Bot 🤖