Make sure we only return public records in the API

When returning a collection of records in the API, we were making sure
we only returned public ones. However, when returning individual
records, we were not checking that.

In practice, this wasn't a big issue, since most `public_for_api`
methods return all records, but it could affect Consul Democracy
installations which might have customized their `public_for_api` method.
The only exception was the `budget` method, since it was returning
budgets that were still in drafting.

spec/graphql/types/query_type_spec.rb

@@ -204,6 +204,16 @@ describe Types::QueryType do
     end
   end
 
+  describe "#comment" do
+    it "does not find comments that are not public" do
+      comment = create(:comment, :valuation, body: "Valuation comment")
+
+      expect do
+        execute("{ comment(id: #{comment.id}) { body } }")
+      end.to raise_exception ActiveRecord::RecordNotFound
+    end
+  end
+
   describe "#budgets" do
     it "does not include unpublished budgets" do
       create(:budget, :drafting, name: "Draft")
@@ -215,6 +225,16 @@ describe Types::QueryType do
     end
   end
 
+  describe "#budget" do
+    it "does not find budgets that are not public" do
+      budget = create(:budget, :drafting)
+
+      expect do
+        execute("{ budget(id: #{budget.id}) { name } }")
+      end.to raise_exception ActiveRecord::RecordNotFound
+    end
+  end
+
   describe "#debates" do
     it "does not include hidden debates" do
       create(:debate, title: "Visible")
@@ -240,6 +260,17 @@ describe Types::QueryType do
     end
   end
 
+  describe "#debate" do
+    it "does not find debates that are not public" do
+      allow(Debate).to receive(:public_for_api).and_return(Debate.none)
+      debate = create(:debate)
+
+      expect do
+        execute("{ debate(id: #{debate.id}) { title } } ")
+      end.to raise_exception ActiveRecord::RecordNotFound
+    end
+  end
+
   describe "#proposals" do
     it "does not include hidden proposals" do
       create(:proposal, title: "Visible")
@@ -265,6 +296,17 @@ describe Types::QueryType do
     end
   end
 
+  describe "#proposal" do
+    it "does not find proposals that are not public" do
+      allow(Proposal).to receive(:public_for_api).and_return(Proposal.none)
+      proposal = create(:proposal)
+
+      expect do
+        execute("{ proposal(id: #{proposal.id}) { title } } ")
+      end.to raise_exception ActiveRecord::RecordNotFound
+    end
+  end
+
   describe "#geozones" do
     it "returns geozones" do
       geozone_names = [create(:geozone), create(:geozone)].map(&:name)
@@ -276,6 +318,28 @@ describe Types::QueryType do
     end
   end
 
+  describe "#geozone" do
+    it "does not find geozones that are not public" do
+      allow(Geozone).to receive(:public_for_api).and_return(Geozone.none)
+      geozone = create(:geozone)
+
+      expect do
+        execute("{ geozone(id: #{geozone.id}) { name } }")
+      end.to raise_exception ActiveRecord::RecordNotFound
+    end
+  end
+
+  describe "#milestone" do
+    it "does not find milestones that are not public" do
+      investment = create(:budget_investment, budget: create(:budget, :drafting))
+      milestone = create(:milestone, milestoneable: investment)
+
+      expect do
+        execute("{ milestone(id: #{milestone.id}) { title } }")
+      end.to raise_exception ActiveRecord::RecordNotFound
+    end
+  end
+
   describe "#proposal_notifications" do
     it "does not include proposal notifications for hidden proposals" do
       visible_proposal = create(:proposal)
@@ -301,6 +365,17 @@ describe Types::QueryType do
     end
   end
 
+  describe "#proposal_notification" do
+    it "does not find proposal notifications that are not public" do
+      allow(Proposal).to receive(:public_for_api).and_return(Proposal.none)
+      notification = create(:proposal_notification)
+
+      expect do
+        execute("{ proposal_notification(id: #{notification.id}) { title } } ")
+      end.to raise_exception ActiveRecord::RecordNotFound
+    end
+  end
+
   describe "#tags" do
     it "only display tags with kind nil or category" do
       create(:tag, name: "Parks")
@@ -373,6 +448,29 @@ describe Types::QueryType do
     end
   end
 
+  describe "#tag" do
+    it "does not find tags that are not public" do
+      allow(Proposal).to receive(:public_for_api).and_return(Proposal.none)
+      tag = create(:tag, name: "Health")
+      create(:proposal, tag_list: "Health")
+
+      expect do
+        execute("{ tag(id: #{tag.id}) { name } } ")
+      end.to raise_exception ActiveRecord::RecordNotFound
+    end
+  end
+
+  describe "#user" do
+    it "does not find users that are not public" do
+      allow(User).to receive(:public_for_api).and_return(User.none)
+      user = create(:user)
+
+      expect do
+        execute("{ user(id: #{user.id}) { username } } ")
+      end.to raise_exception ActiveRecord::RecordNotFound
+    end
+  end
+
   describe "#votes" do
     it "only returns votes from proposals, debates and comments" do
       create(:proposal, voters: [create(:user)])
@@ -472,4 +570,15 @@ describe Types::QueryType do
       expect(received_votables).not_to include(not_public_comment.id)
     end
   end
+
+  describe "#vote" do
+    it "does not find votes that are not public" do
+      allow(Debate).to receive(:public_for_api).and_return(Debate.none)
+      vote = create(:vote, votable: create(:debate))
+
+      expect do
+        execute("{ vote(id: #{vote.id}) { votable_id } }")
+      end.to raise_exception ActiveRecord::RecordNotFound
+    end
+  end
 end