action_policy-graphql 0.3.2 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rubocop.yml +1 -1
- data/.travis.yml +5 -3
- data/CHANGELOG.md +7 -0
- data/README.md +28 -2
- data/action_policy-graphql.gemspec +2 -2
- data/lib/action_policy/graphql/authorized_field.rb +27 -4
- data/lib/action_policy/graphql/fields.rb +1 -1
- data/lib/action_policy/graphql/version.rb +1 -1
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bd6ef7017bd2bda6778f20997ea146431c9ed368f35ca257fd96c2050f3036c4
|
|
4
|
+
data.tar.gz: 4270fc41dadbbce556841298bcd6b2de62bafd7ac9826dd7b7ea60907d6ba98e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2337aa180c36185a1790863df06346c36ad17e3335d1dcc724ba6de9e9b498d0fb6c36336ee7cabe0489995dfe782447f9c1fe6da1747849a3ae58acb9a6aa90
|
|
7
|
+
data.tar.gz: f7448255b43d4cec0e5f837a11c00b48c74148ba0f2839520f9466286ff5f53594c1bcf1f033a08479790cc426a0a2feaf475a2c11739b2344a2231204b3f52f
|
data/.rubocop.yml
CHANGED
data/.travis.yml
CHANGED
|
@@ -22,14 +22,14 @@ matrix:
|
|
|
22
22
|
gemfile: gemfiles/action_policy/master.gemfile
|
|
23
23
|
- rvm: 2.6
|
|
24
24
|
gemfile: gemfiles/action_policy/0.3.gemfile
|
|
25
|
-
- rvm: jruby-9.2.
|
|
25
|
+
- rvm: jruby-9.2.8.0
|
|
26
26
|
gemfile: gemfiles/jruby.gemfile
|
|
27
|
+
- rvm: 2.7
|
|
28
|
+
gemfile: Gemfile
|
|
27
29
|
- rvm: 2.6
|
|
28
30
|
gemfile: Gemfile
|
|
29
31
|
- rvm: 2.5
|
|
30
32
|
gemfile: Gemfile
|
|
31
|
-
- rvm: 2.4
|
|
32
|
-
gemfile: Gemfile
|
|
33
33
|
allow_failures:
|
|
34
34
|
- rvm: ruby-head
|
|
35
35
|
gemfile: gemfiles/graphql/master.gemfile
|
|
@@ -37,3 +37,5 @@ matrix:
|
|
|
37
37
|
gemfile: gemfiles/graphql/master.gemfile
|
|
38
38
|
- rvm: 2.6
|
|
39
39
|
gemfile: gemfiles/action_policy/master.gemfile
|
|
40
|
+
- rvm: jruby-9.2.8.0
|
|
41
|
+
gemfile: gemfiles/jruby.gemfile
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,12 @@
|
|
|
2
2
|
|
|
3
3
|
## master (unreleased)
|
|
4
4
|
|
|
5
|
+
## 0.4.0 (2010-03-11)
|
|
6
|
+
|
|
7
|
+
- **Require Ruby 2.5+**. ([@palkan][])
|
|
8
|
+
|
|
9
|
+
- Add `authorized_field: *` option to perform authorization on the base of the upper object policy prior to resolving fields. ([@sponomarev][])
|
|
10
|
+
|
|
5
11
|
## 0.3.2 (2019-12-12)
|
|
6
12
|
|
|
7
13
|
- Fix compatibility with Action Policy 0.4.0 ([@haines][])
|
|
@@ -35,3 +41,4 @@ Action Policy helpers there.
|
|
|
35
41
|
|
|
36
42
|
[@palkan]: https://github.com/palkan
|
|
37
43
|
[@haines]: https://github.com/haines
|
|
44
|
+
[@sponomarev]: https://github.com/sponomarev
|
data/README.md
CHANGED
|
@@ -98,7 +98,7 @@ class CityType < ::Common::Graphql::Type
|
|
|
98
98
|
end
|
|
99
99
|
```
|
|
100
100
|
|
|
101
|
-
**NOTE:** you cannot use `authorize: *` and `authorized_scope: *` at the same time but you can combine `preauthorize: *` with `authorized_scope: *`.
|
|
101
|
+
**NOTE:** you cannot use `authorize: *` and `authorized_scope: *` at the same time but you can combine `preauthorize: *` or `authorize_field: *` with `authorized_scope: *`.
|
|
102
102
|
|
|
103
103
|
### `preauthorize: *`
|
|
104
104
|
|
|
@@ -126,7 +126,7 @@ end
|
|
|
126
126
|
**NOTE:** we pass the field's name as the `record` to the policy rule. We assume that preauthorization rules do not depend on
|
|
127
127
|
the record itself and pass the field's name for debugging purposes only.
|
|
128
128
|
|
|
129
|
-
You can customize the authorization options, e.g. `
|
|
129
|
+
You can customize the authorization options, e.g. `preauthorize: {to: :preview?, with: CustomPolicy}`.
|
|
130
130
|
|
|
131
131
|
**NOTE:** unlike `authorize: *` you MUST specify the `with: SomePolicy` option.
|
|
132
132
|
The default authorization rule depends on the type of the field:
|
|
@@ -134,6 +134,32 @@ The default authorization rule depends on the type of the field:
|
|
|
134
134
|
- for lists we use `index?` (configured by `ActionPolicy::GraphQL.default_preauthorize_list_rule` parameter)
|
|
135
135
|
- for _singleton_ fields we use `show?` (configured by `ActionPolicy::GraphQL.default_preauthorize_node_rule` parameter)
|
|
136
136
|
|
|
137
|
+
### `authorize_field: *`
|
|
138
|
+
|
|
139
|
+
If you want to perform authorization before resolving the field value _on the base of the upper object_, you can use `authorize_field: *` option:
|
|
140
|
+
|
|
141
|
+
```ruby
|
|
142
|
+
field :homes, Home, null: false, authorize_field: true
|
|
143
|
+
|
|
144
|
+
def homes
|
|
145
|
+
Home.all
|
|
146
|
+
end
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
The code above is equal to:
|
|
150
|
+
|
|
151
|
+
```ruby
|
|
152
|
+
field :homes, [Home], null: false
|
|
153
|
+
|
|
154
|
+
def homes
|
|
155
|
+
authorize! object, to: :homes?
|
|
156
|
+
Home.all
|
|
157
|
+
end
|
|
158
|
+
```
|
|
159
|
+
By default we use `#{underscored_field_name}?` authorization rule.
|
|
160
|
+
|
|
161
|
+
You can customize the authorization options, e.g. `authorize_field: {to: :preview?, with: CustomPolicy}`.
|
|
162
|
+
|
|
137
163
|
### `expose_authorization_rules`
|
|
138
164
|
|
|
139
165
|
You can add permissions/authorization exposing fields to "tell" clients which actions could be performed against the object or not (and why).
|
|
@@ -29,13 +29,13 @@ Gem::Specification.new do |spec|
|
|
|
29
29
|
|
|
30
30
|
spec.require_paths = ["lib"]
|
|
31
31
|
|
|
32
|
-
spec.required_ruby_version = ">= 2.
|
|
32
|
+
spec.required_ruby_version = ">= 2.5.0"
|
|
33
33
|
|
|
34
34
|
spec.add_dependency "action_policy", ">= 0.3.0"
|
|
35
35
|
spec.add_dependency "graphql", ">= 1.9.3"
|
|
36
36
|
|
|
37
37
|
spec.add_development_dependency "bundler", ">= 1.15"
|
|
38
|
-
spec.add_development_dependency "rake", "~>
|
|
38
|
+
spec.add_development_dependency "rake", "~> 13.0"
|
|
39
39
|
spec.add_development_dependency "rspec", "~> 3.8"
|
|
40
40
|
spec.add_development_dependency "rubocop", "~> 0.67.0"
|
|
41
41
|
spec.add_development_dependency "rubocop-md", "~> 0.3"
|
|
@@ -67,6 +67,28 @@ module ActionPolicy
|
|
|
67
67
|
end
|
|
68
68
|
end
|
|
69
69
|
|
|
70
|
+
class AuthorizeFieldExtension < Extension
|
|
71
|
+
def apply
|
|
72
|
+
@to = extract_option(:to) { underscored_field_name }
|
|
73
|
+
@raise = extract_option(:raise) { ::ActionPolicy::GraphQL.authorize_raise_exception }
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
def resolve(context:, object:, arguments:, **_rest)
|
|
77
|
+
if @raise
|
|
78
|
+
object.authorize! object.object, to: @to, **options
|
|
79
|
+
yield object, arguments
|
|
80
|
+
elsif object.allowed_to?(@to, object.object, **options)
|
|
81
|
+
yield object, arguments
|
|
82
|
+
end
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
private
|
|
86
|
+
|
|
87
|
+
def underscored_field_name
|
|
88
|
+
"#{field.instance_variable_get(:@underscored_name)}?".to_sym
|
|
89
|
+
end
|
|
90
|
+
end
|
|
91
|
+
|
|
70
92
|
class ScopeExtension < Extension
|
|
71
93
|
def after_resolve(value:, context:, object:, **_rest)
|
|
72
94
|
return value if value.nil?
|
|
@@ -75,14 +97,14 @@ module ActionPolicy
|
|
|
75
97
|
end
|
|
76
98
|
end
|
|
77
99
|
|
|
78
|
-
def initialize(*args, preauthorize: nil, authorize: nil, authorized_scope: nil, **kwargs, &block)
|
|
100
|
+
def initialize(*args, preauthorize: nil, authorize: nil, authorized_scope: nil, authorize_field: nil, **kwargs, &block)
|
|
79
101
|
if authorize && authorized_scope
|
|
80
102
|
raise ArgumentError, "Only one of `authorize` and `authorized_scope` " \
|
|
81
|
-
"options could be specified. You can use `preauthorize` along with scoping"
|
|
103
|
+
"options could be specified. You can use `preauthorize` or `authorize_field` along with scoping"
|
|
82
104
|
end
|
|
83
105
|
|
|
84
|
-
if authorize
|
|
85
|
-
raise ArgumentError, "Only one of `authorize`
|
|
106
|
+
if !!authorize == !!preauthorize ? authorize : authorize_field
|
|
107
|
+
raise ArgumentError, "Only one of `authorize`, `preauthorize` or `authorize_field` " \
|
|
86
108
|
"options could be specified."
|
|
87
109
|
end
|
|
88
110
|
|
|
@@ -91,6 +113,7 @@ module ActionPolicy
|
|
|
91
113
|
add_extension! extensions, AuthorizeExtension, authorize
|
|
92
114
|
add_extension! extensions, ScopeExtension, authorized_scope
|
|
93
115
|
add_extension! extensions, PreauthorizeExtension, preauthorize
|
|
116
|
+
add_extension! extensions, AuthorizeFieldExtension, authorize_field
|
|
94
117
|
|
|
95
118
|
super(*args, **kwargs, &block)
|
|
96
119
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: action_policy-graphql
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Vladimir Dementyev
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-03-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: action_policy
|
|
@@ -58,14 +58,14 @@ dependencies:
|
|
|
58
58
|
requirements:
|
|
59
59
|
- - "~>"
|
|
60
60
|
- !ruby/object:Gem::Version
|
|
61
|
-
version: '
|
|
61
|
+
version: '13.0'
|
|
62
62
|
type: :development
|
|
63
63
|
prerelease: false
|
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
|
65
65
|
requirements:
|
|
66
66
|
- - "~>"
|
|
67
67
|
- !ruby/object:Gem::Version
|
|
68
|
-
version: '
|
|
68
|
+
version: '13.0'
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: rspec
|
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -183,7 +183,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
183
183
|
requirements:
|
|
184
184
|
- - ">="
|
|
185
185
|
- !ruby/object:Gem::Version
|
|
186
|
-
version: 2.
|
|
186
|
+
version: 2.5.0
|
|
187
187
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
188
188
|
requirements:
|
|
189
189
|
- - ">="
|