action_policy-graphql 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da60e0290bedb6652f75804bf0b54eb995c1a85708d35ec486b46022604c13d2
-  data.tar.gz: c996102f26404ba808fd0a6b5d927f3509c45ba799acc5c1147e20f7e62bb76d
+  metadata.gz: af986a07ebe7dbdfa82c22e7c5977562fe950297e9d7a1a73f3b3350df2985e7
+  data.tar.gz: 1c9f5b334f632827e9221b327fe622d91be5f92c871f6fb4807a397a73984735
 SHA512:
-  metadata.gz: c344fff8978dc691b1c820e01790234ef472779592bc70b20b5ef9fa0dbac9cc3075893ad299270396b4be69ed7a7c3c54dc502dde39e3c6fedd11049f2007d7
-  data.tar.gz: 667b4957e8400858eaff8544508cc04482ad90ada14d5f2839910a1ecc29ca6987f3906cf1a111222d81f0d06cc0475884115ddbbac564a554c17200f5bf60cf
+  metadata.gz: 7d98d44c4c349789b58d463dc1b447e9181f6fadcdd5a3e09b7c47835b4b9a154b000e5c39ac96cce98a8e09e91e1560a4bb8a6d3263753a59362bd352102692
+  data.tar.gz: 6aad6769bbea6aae1137b158a6c54d6f12742a443227f43de6ad28471ce2add320349a671c196dada9d304238f2bdaa8ab201437b526e8cb6a51d9ccc31fbf4c

data/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## master (unreleased)
 
+## 0.3.0 (2019-10-21)
+
+- Add `preauthorize: *` option to perform authorization prior to resolving fields. ([@palkan][])
+
 ## 0.2.0 (2019-08-15)
 
 - Add ability to specify a field name explicitly. ([@palkan][])

data/README.md

@@ -9,7 +9,7 @@ This gem provides an integration for using [Action Policy](https://github.com/pa
 This integration includes the following features:
 - Fields & mutations authorization
 - List and connections scoping
-- [**Exposing permissions/authorization rules in the API**](https://dev.to/evilmartians/exposing-permissions-in-graphql-apis-with-action-policy-1mfh).
+- [**Exposing permissions/authorization rules in the API**](https://evilmartians.com/chronicles/exposing-permissions-in-graphql-apis-with-action-policy).
 
 📑 [Documentation](https://actionpolicy.evilmartians.io/#/graphql)
 
@@ -21,7 +21,7 @@ This integration includes the following features:
 Add this line to your application's Gemfile:
 
 ```ruby
-gem "action_policy-graphql", "~> 0.1"
+gem "action_policy-graphql", "~> 0.3"
 ```
 
 And then execute:
@@ -96,6 +96,42 @@ class CityType < ::Common::Graphql::Type
 end
 ```
 
+**NOTE:** you cannot use `authorize: *` and `authorized_scope: *` at the same time but you can combine `preauthorize: *` with `authorized_scope: *`.
+
+### `preauthorize: *`
+
+If you want to perform authorization before resolving the field value, you can use `preauthorize: *` option:
+
+```ruby
+field :homes, [Home], null: false, preauthorize: {with: HomePolicy}
+
+def homes
+  Home.all
+end
+```
+
+The code above is equal to:
+
+```ruby
+field :homes, [Home], null: false
+
+def homes
+  authorize! "homes", to: :index?, with: HomePolicy
+  Home.all
+end
+```
+
+**NOTE:** we pass the field's name as the `record` to the policy rule. We assume that preauthorization rules do not depend on
+the record itself and pass the field's name for debugging purposes only.
+
+You can customize the authorization options, e.g. `authorize: {to: :preview?, with: CustomPolicy}`.
+
+**NOTE:** unlike `authorize: *` you MUST specify the `with: SomePolicy` option.
+The default authorization rule depends on the type of the field:
+
+- for lists we use `index?` (configured by `ActionPolicy::GraphQL.default_preauthorize_list_rule` parameter)
+- for _singleton_ fields we use `show?` (configured by `ActionPolicy::GraphQL.default_preauthorize_node_rule` parameter)
+
 ### `expose_authorization_rules`
 
 You can add permissions/authorization exposing fields to "tell" clients which actions could be performed against the object or not (and why).

data/lib/action_policy/graphql.rb

@@ -12,6 +12,16 @@ module ActionPolicy
       # Defaults to `:show?`
       attr_accessor :default_authorize_rule
 
+      # Which rule to use when no specified for preauthorization (e.g. `preauthorize: true`)
+      # of a list-like field.
+      # Defaults to `:index?`
+      attr_accessor :default_preauthorize_list_rule
+
+      # Which rule to use when no specified for preauthorization (e.g. `preauthorize: true`)
+      # of a singleton-like field.
+      # Defaults to `:show?`
+      attr_accessor :default_preauthorize_node_rule
+
       # Whether to raise an exeption if field is not authorized
       # or return `nil`.
       # Defaults to `true`.
@@ -23,6 +33,8 @@ module ActionPolicy
     end
 
     self.default_authorize_rule = :show?
+    self.default_preauthorize_list_rule = :index?
+    self.default_preauthorize_node_rule = :show?
     self.authorize_raise_exception = true
     self.default_authorization_field_prefix = "can_"
   end

data/lib/action_policy/graphql/authorized_field.rb

@@ -32,6 +32,32 @@ module ActionPolicy
         end
       end
 
+      class PreauthorizeExtension < ::GraphQL::Schema::FieldExtension
+        def initialize(*)
+          super
+          if options[:with].nil?
+            raise ArgumentError, "You must specify the policy for preauthorization: " \
+                                 "`field :#{field.name}, preauthorize: {with: SomePolicy}`"
+          end
+          options[:to] ||=
+            if field.type.list?
+              ::ActionPolicy::GraphQL.default_preauthorize_list_rule
+            else
+              ::ActionPolicy::GraphQL.default_preauthorize_node_rule
+            end
+          options[:raise] = ::ActionPolicy::GraphQL.authorize_raise_exception unless options.key?(:raise)
+        end
+
+        def resolve(context:, object:, arguments:, **_rest)
+          if options[:raise]
+            object.authorize! field.name, **options
+            yield object, arguments
+          elsif object.allowed_to?(options[:to], field.name, options)
+            yield object, arguments
+          end
+        end
+      end
+
       class ScopeExtension < ::GraphQL::Schema::FieldExtension
         def after_resolve(value:, context:, object:, **_rest)
           return value if value.nil?
@@ -40,31 +66,40 @@ module ActionPolicy
         end
       end
 
-      def initialize(*args, authorize: nil, authorized_scope: nil, **kwargs, &block)
+      def initialize(*args, preauthorize: nil, authorize: nil, authorized_scope: nil, **kwargs, &block)
         if authorize && authorized_scope
           raise ArgumentError, "Only one of `authorize` and `authorized_scope` " \
-                               "options could be specified"
+                               "options could be specified. You can use `preauthorize` along with scoping"
         end
 
-        options = authorize || authorized_scope
+        if authorize && preauthorize
+          raise ArgumentError, "Only one of `authorize` and `preauthorize` " \
+                               "options could be specified."
+        end
 
-        if options
-          options = {} if options == true
+        extensions = (kwargs[:extensions] ||= [])
 
-          extension_class = authorized_scope ? ScopeExtension : AuthorizeExtension
+        add_extension! extensions, AuthorizeExtension, authorize
+        add_extension! extensions, ScopeExtension, authorized_scope
+        add_extension! extensions, PreauthorizeExtension, preauthorize
 
-          extension = {extension_class => options}
+        super(*args, **kwargs, &block)
+      end
 
-          extensions = (kwargs[:extensions] ||= [])
+      private
 
-          if extensions.is_a?(Hash)
-            extensions.merge!(extension)
-          else
-            extensions << extension
-          end
-        end
+      def add_extension!(extensions, extension_class, options)
+        return unless options
 
-        super(*args, **kwargs, &block)
+        options = {} if options == true
+
+        extension = {extension_class => options}
+
+        if extensions.is_a?(Hash)
+          extensions.merge!(extension)
+        else
+          extensions << extension
+        end
       end
     end
   end

data/lib/action_policy/graphql/version.rb

@@ -2,6 +2,6 @@
 
 module ActionPolicy
   module GraphQL
-    VERSION = "0.2.0"
+    VERSION = "0.3.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: action_policy-graphql
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Vladimir Dementyev
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-08-15 00:00:00.000000000 Z
+date: 2019-10-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: action_policy