action_policy-graphql 0.3.2 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +1 -1
- data/.travis.yml +5 -3
- data/CHANGELOG.md +7 -0
- data/README.md +28 -2
- data/action_policy-graphql.gemspec +2 -2
- data/lib/action_policy/graphql/authorized_field.rb +27 -4
- data/lib/action_policy/graphql/fields.rb +1 -1
- data/lib/action_policy/graphql/version.rb +1 -1
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bd6ef7017bd2bda6778f20997ea146431c9ed368f35ca257fd96c2050f3036c4
|
|
4
|
+
data.tar.gz: 4270fc41dadbbce556841298bcd6b2de62bafd7ac9826dd7b7ea60907d6ba98e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2337aa180c36185a1790863df06346c36ad17e3335d1dcc724ba6de9e9b498d0fb6c36336ee7cabe0489995dfe782447f9c1fe6da1747849a3ae58acb9a6aa90
|
|
7
|
+
data.tar.gz: f7448255b43d4cec0e5f837a11c00b48c74148ba0f2839520f9466286ff5f53594c1bcf1f033a08479790cc426a0a2feaf475a2c11739b2344a2231204b3f52f
|
data/.rubocop.yml
CHANGED
data/.travis.yml
CHANGED
|
@@ -22,14 +22,14 @@ matrix:
|
|
|
22
22
|
gemfile: gemfiles/action_policy/master.gemfile
|
|
23
23
|
- rvm: 2.6
|
|
24
24
|
gemfile: gemfiles/action_policy/0.3.gemfile
|
|
25
|
-
- rvm: jruby-9.2.
|
|
25
|
+
- rvm: jruby-9.2.8.0
|
|
26
26
|
gemfile: gemfiles/jruby.gemfile
|
|
27
|
+
- rvm: 2.7
|
|
28
|
+
gemfile: Gemfile
|
|
27
29
|
- rvm: 2.6
|
|
28
30
|
gemfile: Gemfile
|
|
29
31
|
- rvm: 2.5
|
|
30
32
|
gemfile: Gemfile
|
|
31
|
-
- rvm: 2.4
|
|
32
|
-
gemfile: Gemfile
|
|
33
33
|
allow_failures:
|
|
34
34
|
- rvm: ruby-head
|
|
35
35
|
gemfile: gemfiles/graphql/master.gemfile
|
|
@@ -37,3 +37,5 @@ matrix:
|
|
|
37
37
|
gemfile: gemfiles/graphql/master.gemfile
|
|
38
38
|
- rvm: 2.6
|
|
39
39
|
gemfile: gemfiles/action_policy/master.gemfile
|
|
40
|
+
- rvm: jruby-9.2.8.0
|
|
41
|
+
gemfile: gemfiles/jruby.gemfile
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,12 @@
|
|
|
2
2
|
|
|
3
3
|
## master (unreleased)
|
|
4
4
|
|
|
5
|
+
## 0.4.0 (2010-03-11)
|
|
6
|
+
|
|
7
|
+
- **Require Ruby 2.5+**. ([@palkan][])
|
|
8
|
+
|
|
9
|
+
- Add `authorized_field: *` option to perform authorization on the base of the upper object policy prior to resolving fields. ([@sponomarev][])
|
|
10
|
+
|
|
5
11
|
## 0.3.2 (2019-12-12)
|
|
6
12
|
|
|
7
13
|
- Fix compatibility with Action Policy 0.4.0 ([@haines][])
|
|
@@ -35,3 +41,4 @@ Action Policy helpers there.
|
|
|
35
41
|
|
|
36
42
|
[@palkan]: https://github.com/palkan
|
|
37
43
|
[@haines]: https://github.com/haines
|
|
44
|
+
[@sponomarev]: https://github.com/sponomarev
|
data/README.md
CHANGED
|
@@ -98,7 +98,7 @@ class CityType < ::Common::Graphql::Type
|
|
|
98
98
|
end
|
|
99
99
|
```
|
|
100
100
|
|
|
101
|
-
**NOTE:** you cannot use `authorize: *` and `authorized_scope: *` at the same time but you can combine `preauthorize: *` with `authorized_scope: *`.
|
|
101
|
+
**NOTE:** you cannot use `authorize: *` and `authorized_scope: *` at the same time but you can combine `preauthorize: *` or `authorize_field: *` with `authorized_scope: *`.
|
|
102
102
|
|
|
103
103
|
### `preauthorize: *`
|
|
104
104
|
|
|
@@ -126,7 +126,7 @@ end
|
|
|
126
126
|
**NOTE:** we pass the field's name as the `record` to the policy rule. We assume that preauthorization rules do not depend on
|
|
127
127
|
the record itself and pass the field's name for debugging purposes only.
|
|
128
128
|
|
|
129
|
-
You can customize the authorization options, e.g. `
|
|
129
|
+
You can customize the authorization options, e.g. `preauthorize: {to: :preview?, with: CustomPolicy}`.
|
|
130
130
|
|
|
131
131
|
**NOTE:** unlike `authorize: *` you MUST specify the `with: SomePolicy` option.
|
|
132
132
|
The default authorization rule depends on the type of the field:
|
|
@@ -134,6 +134,32 @@ The default authorization rule depends on the type of the field:
|
|
|
134
134
|
- for lists we use `index?` (configured by `ActionPolicy::GraphQL.default_preauthorize_list_rule` parameter)
|
|
135
135
|
- for _singleton_ fields we use `show?` (configured by `ActionPolicy::GraphQL.default_preauthorize_node_rule` parameter)
|
|
136
136
|
|
|
137
|
+
### `authorize_field: *`
|
|
138
|
+
|
|
139
|
+
If you want to perform authorization before resolving the field value _on the base of the upper object_, you can use `authorize_field: *` option:
|
|
140
|
+
|
|
141
|
+
```ruby
|
|
142
|
+
field :homes, Home, null: false, authorize_field: true
|
|
143
|
+
|
|
144
|
+
def homes
|
|
145
|
+
Home.all
|
|
146
|
+
end
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
The code above is equal to:
|
|
150
|
+
|
|
151
|
+
```ruby
|
|
152
|
+
field :homes, [Home], null: false
|
|
153
|
+
|
|
154
|
+
def homes
|
|
155
|
+
authorize! object, to: :homes?
|
|
156
|
+
Home.all
|
|
157
|
+
end
|
|
158
|
+
```
|
|
159
|
+
By default we use `#{underscored_field_name}?` authorization rule.
|
|
160
|
+
|
|
161
|
+
You can customize the authorization options, e.g. `authorize_field: {to: :preview?, with: CustomPolicy}`.
|
|
162
|
+
|
|
137
163
|
### `expose_authorization_rules`
|
|
138
164
|
|
|
139
165
|
You can add permissions/authorization exposing fields to "tell" clients which actions could be performed against the object or not (and why).
|
|
@@ -29,13 +29,13 @@ Gem::Specification.new do |spec|
|
|
|
29
29
|
|
|
30
30
|
spec.require_paths = ["lib"]
|
|
31
31
|
|
|
32
|
-
spec.required_ruby_version = ">= 2.
|
|
32
|
+
spec.required_ruby_version = ">= 2.5.0"
|
|
33
33
|
|
|
34
34
|
spec.add_dependency "action_policy", ">= 0.3.0"
|
|
35
35
|
spec.add_dependency "graphql", ">= 1.9.3"
|
|
36
36
|
|
|
37
37
|
spec.add_development_dependency "bundler", ">= 1.15"
|
|
38
|
-
spec.add_development_dependency "rake", "~>
|
|
38
|
+
spec.add_development_dependency "rake", "~> 13.0"
|
|
39
39
|
spec.add_development_dependency "rspec", "~> 3.8"
|
|
40
40
|
spec.add_development_dependency "rubocop", "~> 0.67.0"
|
|
41
41
|
spec.add_development_dependency "rubocop-md", "~> 0.3"
|
|
@@ -67,6 +67,28 @@ module ActionPolicy
|
|
|
67
67
|
end
|
|
68
68
|
end
|
|
69
69
|
|
|
70
|
+
class AuthorizeFieldExtension < Extension
|
|
71
|
+
def apply
|
|
72
|
+
@to = extract_option(:to) { underscored_field_name }
|
|
73
|
+
@raise = extract_option(:raise) { ::ActionPolicy::GraphQL.authorize_raise_exception }
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
def resolve(context:, object:, arguments:, **_rest)
|
|
77
|
+
if @raise
|
|
78
|
+
object.authorize! object.object, to: @to, **options
|
|
79
|
+
yield object, arguments
|
|
80
|
+
elsif object.allowed_to?(@to, object.object, **options)
|
|
81
|
+
yield object, arguments
|
|
82
|
+
end
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
private
|
|
86
|
+
|
|
87
|
+
def underscored_field_name
|
|
88
|
+
"#{field.instance_variable_get(:@underscored_name)}?".to_sym
|
|
89
|
+
end
|
|
90
|
+
end
|
|
91
|
+
|
|
70
92
|
class ScopeExtension < Extension
|
|
71
93
|
def after_resolve(value:, context:, object:, **_rest)
|
|
72
94
|
return value if value.nil?
|
|
@@ -75,14 +97,14 @@ module ActionPolicy
|
|
|
75
97
|
end
|
|
76
98
|
end
|
|
77
99
|
|
|
78
|
-
def initialize(*args, preauthorize: nil, authorize: nil, authorized_scope: nil, **kwargs, &block)
|
|
100
|
+
def initialize(*args, preauthorize: nil, authorize: nil, authorized_scope: nil, authorize_field: nil, **kwargs, &block)
|
|
79
101
|
if authorize && authorized_scope
|
|
80
102
|
raise ArgumentError, "Only one of `authorize` and `authorized_scope` " \
|
|
81
|
-
"options could be specified. You can use `preauthorize` along with scoping"
|
|
103
|
+
"options could be specified. You can use `preauthorize` or `authorize_field` along with scoping"
|
|
82
104
|
end
|
|
83
105
|
|
|
84
|
-
if authorize
|
|
85
|
-
raise ArgumentError, "Only one of `authorize`
|
|
106
|
+
if !!authorize == !!preauthorize ? authorize : authorize_field
|
|
107
|
+
raise ArgumentError, "Only one of `authorize`, `preauthorize` or `authorize_field` " \
|
|
86
108
|
"options could be specified."
|
|
87
109
|
end
|
|
88
110
|
|
|
@@ -91,6 +113,7 @@ module ActionPolicy
|
|
|
91
113
|
add_extension! extensions, AuthorizeExtension, authorize
|
|
92
114
|
add_extension! extensions, ScopeExtension, authorized_scope
|
|
93
115
|
add_extension! extensions, PreauthorizeExtension, preauthorize
|
|
116
|
+
add_extension! extensions, AuthorizeFieldExtension, authorize_field
|
|
94
117
|
|
|
95
118
|
super(*args, **kwargs, &block)
|
|
96
119
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: action_policy-graphql
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Vladimir Dementyev
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-03-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: action_policy
|
|
@@ -58,14 +58,14 @@ dependencies:
|
|
|
58
58
|
requirements:
|
|
59
59
|
- - "~>"
|
|
60
60
|
- !ruby/object:Gem::Version
|
|
61
|
-
version: '
|
|
61
|
+
version: '13.0'
|
|
62
62
|
type: :development
|
|
63
63
|
prerelease: false
|
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
|
65
65
|
requirements:
|
|
66
66
|
- - "~>"
|
|
67
67
|
- !ruby/object:Gem::Version
|
|
68
|
-
version: '
|
|
68
|
+
version: '13.0'
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: rspec
|
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -183,7 +183,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
183
183
|
requirements:
|
|
184
184
|
- - ">="
|
|
185
185
|
- !ruby/object:Gem::Version
|
|
186
|
-
version: 2.
|
|
186
|
+
version: 2.5.0
|
|
187
187
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
188
188
|
requirements:
|
|
189
189
|
- - ">="
|