graphql-guard 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1b46996e864a4ef5bb6d263173c99a2550f4295a
-  data.tar.gz: 2dbd35db68ce97fdd5505d27cbadaee2b686c9ce
+  metadata.gz: 5870b2ab41869305af964ae8412f7b7628328272
+  data.tar.gz: 35db74d61a58b98c041a6f31a3fe05f1fd2183e2
 SHA512:
-  metadata.gz: 808c4e4702efede0b4bf662bc8b9ee590a053d2a0cd53cb11d23c25224eac82d0c826a20dccd911281b916f9b8f1ca389a9b72a68804e831a2d8b76f9ae54ef5
-  data.tar.gz: b6ca578ecbcb68f53a5c7161ddef5a1cc4213cefa2a85bf203d16fdb5541c8d7d9d011764c9cf307a6fa69cf2bc312a853086bdc3e890db4073e97d57ef43798
+  metadata.gz: 984a157c13ca13f6d49b6b2c770f51d8898b573ac58b8bf9c927b7c63b38e0a9cc6a1e731a621546a1fa875aef9b0c3489323aa8f7605b503ed91bfc02fcf279
+  data.tar.gz: 15f06cd5cfe6d2e5fad01258010c10b4a9203fa4427344e5007107decc9583b3b4d215073acf9c1e887cdca405c55f5d3507612359b3caa81152a5820c7a34fe

data/CHANGELOG.md

@@ -8,6 +8,14 @@ one of the following labels: `Added`, `Changed`, `Deprecated`,
 to manage the versions of this gem so
 that you can set version constraints properly.
 
-#### [Unreleased](https://github.com/exAspArk/graphql-guard/compare/e6d7d0f...HEAD)
+#### [Unreleased](https://github.com/exAspArk/graphql-guard/compare/v0.2.0...HEAD)
 
 * WIP
+
+#### [v0.2.0](https://github.com/exAspArk/graphql-guard/compare/v0.1.0...v0.2.0)
+
+* `Added`: support for object policies.
+
+#### [v0.1.0](https://github.com/exAspArk/graphql-guard/compare/e6d7d0f...v0.1.0) – 2017-07-19
+
+* `Added`: initial functional version with inline policies.

data/Gemfile

@@ -2,5 +2,7 @@ source "https://rubygems.org"
 
 git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
 
+gem "pry"
+
 # Specify your gem's dependencies in graphql-guard.gemspec
 gemspec

data/README.md

@@ -19,9 +19,9 @@ end
 # define query
 QueryType = GraphQL::ObjectType.define do
   name "Query"
-  field :posts, [PostType] do
+  field :posts, !types[PostType] do
     argument :user_id, !types.ID
-    resolve ->(_obj, args, _ctx) { Post.find(args[:user_id]) }
+    resolve ->(_obj, args, _ctx) { Post.where(user_id: args[:user_id]) }
   end
 end
 
@@ -38,14 +38,14 @@ GraphSchema.execute(
 )
 ```
 
-### Adding graphql-guard
+### Inline policies
 
 Add `GraphQL::Guard` to your schema:
 
 ```ruby
 Schema = GraphQL::Schema.define do
   query QueryType
-  use GraphQL::Guard.new # <========= HERE
+  use GraphQL::Guard.new # <======= ʘ‿ʘ
 end
 ```
 
@@ -54,27 +54,91 @@ Now you can define `guard` for a field, which will check permissions before reso
 ```ruby
 QueryType = GraphQL::ObjectType.define do
   name "Query"
-  field :posts, [PostType] do
+  field :posts, !types[PostType] do
     argument :user_id, !types.ID
-    guard ->(_obj, args, ctx) { args[:user_id] == ctx[:current_user].id } # <========= HERE
-    resolve ->(_obj, args, _ctx) { Post.find(args[:user_id]) }
+    guard ->(_obj, args, ctx) { args[:user_id] == ctx[:current_user].id } # <======= ʘ‿ʘ
+    ...
   end
 end
 ```
 
-You can also define `guard` for each field in the type:
+You can also define `guard`, which will be executed for all fields in the type:
 
 ```ruby
 PostType = GraphQL::ObjectType.define do
   name "Post"
-  guard ->(post, ctx) { post.author?(ctx[:current_user]) || ctx[:current_user].admin? } # <========= HERE
-  field :id, !types.ID
-  field :title, !types.String
+  guard ->(_post, ctx) { ctx[:current_user].admin? } # <======= ʘ‿ʘ
+  ...
 end
 ```
 
 If `guard` block returns `false`, then it'll raise a `GraphQL::Guard::NotAuthorizedError` error.
 
+### Policy object
+
+Alternatively, it's possible to describe all policies by using PORO (Plain Old Ruby Object), which should implement a `guard` method. For example:
+
+```ruby
+class GraphqlPolicy
+  RULES = {
+    QueryType => {
+      posts: ->(_obj, args, ctx) { args[:user_id] == ctx[:current_user].id }
+    },
+    PostType => {
+      '*': ->(post, ctx) { ctx[:current_user].admin? }
+    }
+  }
+
+  def self.guard(type, field)
+    RULES.dig(type, field)
+  end
+end
+```
+
+Use pass this object to `GraphQL::Guard`:
+
+```ruby
+Schema = GraphQL::Schema.define do
+  query QueryType
+  use GraphQL::Guard.new(policy_object: GraphqlPolicy) # <======= ʘ‿ʘ
+end
+```
+
+## Order of priority
+
+`GraphQL::Guard` will use the policy in the following order of priority:
+
+1. Inline policy on the field.
+2. Policy from the policy object on the field.
+3. Inline policy on the type.
+2. Policy from the policy object on the type.
+
+```ruby
+class GraphqlPolicy
+  RULES = {
+    PostType => {
+      title: ->(_post, ctx) { ctx[:current_user].admin? },                                # <======= 2
+      '*': ->(_post, ctx) { ctx[:current_user].admin? }                                   # <======= 4
+    }
+  }
+
+  def self.guard(type, field)
+    RULES.dig(type, field)
+  end
+end
+
+PostType = GraphQL::ObjectType.define do
+  name "Post"
+  guard ->(_post, ctx) { ctx[:current_user].admin? }                                      # <======= 3
+  field :title, !types.String, guard: ->(_post, _args, ctx) { ctx[:current_user].admin? } # <======= 1
+end
+
+Schema = GraphQL::Schema.define do
+  query QueryType
+  use GraphQL::Guard.new(policy_object: GraphqlPolicy)
+end
+```
+
 ## Installation
 
 Add this line to your application's Gemfile:

data/lib/graphql/guard.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "graphql"
 require "graphql/guard/version"
 
@@ -6,36 +8,53 @@ GraphQL::Field.accepts_definitions(guard: GraphQL::Define.assign_metadata_key(:g
 
 module GraphQL
   class Guard
+    ANY_FIELD_NAME = :'*'
+
     NotAuthorizedError = Class.new(StandardError)
 
+    attr_reader :policy_object
+
+    def initialize(policy_object: nil)
+      @policy_object = policy_object
+    end
+
     def use(schema_definition)
       schema_definition.instrument(:field, self)
     end
 
     def instrument(type, field)
-      return field unless guard_proc?(type, field)
-      old_resolve_proc = field.resolve_proc
+      field_guard_proc = inline_field_guard(field) || policy_object_guard(type, field.name.to_sym)
+      type_guard_proc = inline_type_guard(type) || policy_object_guard(type, ANY_FIELD_NAME)
+      return field if !field_guard_proc && !type_guard_proc
 
-      new_resolve_proc =
-        if guard_proc = field.metadata[:guard]
-          ->(object, arguments, context) do
-            raise NotAuthorizedError.new("#{type}.#{field.name}") unless guard_proc.call(object, arguments, context)
-            old_resolve_proc.call(object, arguments, context)
-          end
-        elsif guard_proc = type.metadata[:guard]
-          ->(object, arguments, context) do
-            raise NotAuthorizedError.new("#{type}.#{field.name}") unless guard_proc.call(object, context)
-            old_resolve_proc.call(object, arguments, context)
+      old_resolve_proc = field.resolve_proc
+      new_resolve_proc = ->(object, arguments, context) do
+        authorized =
+          if field_guard_proc
+            field_guard_proc.call(object, arguments, context)
+          elsif type_guard_proc
+            type_guard_proc.call(object, context)
           end
-        end
+        raise NotAuthorizedError.new("#{type}.#{field.name}") unless authorized
+
+        old_resolve_proc.call(object, arguments, context)
+      end
 
       field.redefine { resolve(new_resolve_proc) }
     end
 
     private
 
-    def guard_proc?(type, field)
-      !!(field.metadata[:guard] || type.metadata[:guard])
+    def policy_object_guard(type, field_name)
+      policy_object && policy_object.guard(type, field_name)
+    end
+
+    def inline_field_guard(field)
+      field.metadata[:guard]
+    end
+
+    def inline_type_guard(type)
+      type.metadata[:guard]
     end
   end
 end

data/lib/graphql/guard/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module GraphQL
   class Guard
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: graphql-guard
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - exAspArk