graphql-guard 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5870b2ab41869305af964ae8412f7b7628328272
-  data.tar.gz: 35db74d61a58b98c041a6f31a3fe05f1fd2183e2
+  metadata.gz: 33482164f7f2f2a17ba43bc1219975ee6de6ea19
+  data.tar.gz: fade6ad6159072a1f3609cbc4e43b5fba2ce100b
 SHA512:
-  metadata.gz: 984a157c13ca13f6d49b6b2c770f51d8898b573ac58b8bf9c927b7c63b38e0a9cc6a1e731a621546a1fa875aef9b0c3489323aa8f7605b503ed91bfc02fcf279
-  data.tar.gz: 15f06cd5cfe6d2e5fad01258010c10b4a9203fa4427344e5007107decc9583b3b4d215073acf9c1e887cdca405c55f5d3507612359b3caa81152a5820c7a34fe
+  metadata.gz: e198c43bd8b1a4e9ce8de01db82605f1d937efbbd8f6f509e89ae1363e253ec43a70251584fa6f7ef7a44d7b89a4029322be4b93ad9e43b4d8e04a6f3a26bea1
+  data.tar.gz: f465007bb574373cb6d220aea2b6361d828055a69bf57e91ed5e12a6f6fb31d64043b7636e15763eaac922926618ab1e01c280456dd91b022094df6d9e300bb7

data/CHANGELOG.md

@@ -12,7 +12,11 @@ that you can set version constraints properly.
 
 * WIP
 
-#### [v0.2.0](https://github.com/exAspArk/graphql-guard/compare/v0.1.0...v0.2.0)
+#### [v0.3.0](https://github.com/exAspArk/graphql-guard/compare/v0.2.0...v0.3.0) – 2017-07-19
+
+* `Added`: ability to use custom error handlers.
+
+#### [v0.2.0](https://github.com/exAspArk/graphql-guard/compare/v0.1.0...v0.2.0) – 2017-07-19
 
 * `Added`: support for object policies.
 

data/README.md

@@ -4,19 +4,35 @@
 
 This tiny gem provides a field-level authorization for [graphql-ruby](https://github.com/rmosolgo/graphql-ruby).
 
+## Contents
+
+* [Usage](#usage)
+  * [Inline policies](#inline-policies)
+  * [Policy object](#policy-object)
+* [Priority order](#priority-order)
+* [Error handling](#error-handling)
+* [Integration](#integration)
+  * [CanCanCan](#cancancan)
+  * [Pundit](#pundit)
+* [Installation](#installation)
+* [Development](#development)
+* [Contributing](#contributing)
+* [License](#license)
+* [Code of Conduct](#code-of-conduct)
+
 ## Usage
 
 Define a GraphQL schema:
 
 ```ruby
-# define type
+# define a type
 PostType = GraphQL::ObjectType.define do
   name "Post"
   field :id, !types.ID
   field :title, !types.String
 end
 
-# define query
+# define a query
 QueryType = GraphQL::ObjectType.define do
   name "Query"
   field :posts, !types[PostType] do
@@ -25,17 +41,13 @@ QueryType = GraphQL::ObjectType.define do
   end
 end
 
-# define schema
+# define a schema
 Schema = GraphQL::Schema.define do
   query QueryType
 end
 
 # execute query
-GraphSchema.execute(
-  query,
-  variables: { user_id: 1 },
-  context: { current_user: current_user }
-)
+GraphSchema.execute(query, variables: { user_id: 1 }, context: { current_user: current_user })
 ```
 
 ### Inline policies
@@ -85,7 +97,7 @@ class GraphqlPolicy
       posts: ->(_obj, args, ctx) { args[:user_id] == ctx[:current_user].id }
     },
     PostType => {
-      '*': ->(post, ctx) { ctx[:current_user].admin? }
+      '*': ->(_post, ctx) { ctx[:current_user].admin? }
     }
   }
 
@@ -95,7 +107,7 @@ class GraphqlPolicy
 end
 ```
 
-Use pass this object to `GraphQL::Guard`:
+Pass this object to `GraphQL::Guard`:
 
 ```ruby
 Schema = GraphQL::Schema.define do
@@ -104,7 +116,7 @@ Schema = GraphQL::Schema.define do
 end
 ```
 
-## Order of priority
+## Priority order
 
 `GraphQL::Guard` will use the policy in the following order of priority:
 
@@ -139,6 +151,96 @@ Schema = GraphQL::Schema.define do
 end
 ```
 
+## Error handling
+
+By default `GraphQL::Guard` raises a `GraphQL::Guard::NotAuthorizedError` exception if access to field is not authorized.
+You can change this behavior, by passing custom `not_authorized` lambda. For example:
+
+```ruby
+SchemaWithoutExceptions = GraphQL::Schema.define do
+  query QueryType
+  use GraphQL::Guard.new(
+    # by default it raises an error
+    # not_authorized: ->(type, field) { raise GraphQL::Guard::NotAuthorizedError.new("#{type}.#{field}") }
+
+    # returns an error in the response
+    not_authorized: ->(type, field) { GraphQL::ExecutionError.new("Not authorized to access #{type}.#{field}") }
+  )
+end
+```
+
+In this case executing a query will continue, but return `nil` for not authorized field and also an array of `errors`:
+
+```ruby
+SchemaWithoutExceptions.execute("query { posts(user_id: 1) { id title } }")
+# => {
+# "data" => nil,
+# "errors" => [{ "messages" => "Not authorized to access Query.posts", "locations": { ... }, "path" => ["posts"] }]
+# }
+```
+
+## Integration
+
+You can simply reuse your existing policies if you really want. You don't need any monkey patches or magic for it ;)
+
+### CanCanCan
+
+```ruby
+# define an ability
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    user ||= User.new # guest user if not logged in
+    if user.admin?
+      can :manage, :all
+    else
+      can :read, Post, author_id: user.id
+    end
+  end
+end
+
+# use the ability in your guard policy object
+class GraphqlPolicy
+  RULES = {
+    PostType => {
+      '*': ->(post, ctx) { ctx[:current_ability].can?(:read, post) },
+    }
+  }
+
+  def self.guard(type, field)
+    RULES.dig(type, field)
+  end
+end
+
+# pass the ability
+GraphSchema.execute(query, context: { current_ability: Ability.new(current_user) })
+```
+
+### Pundit
+
+```ruby
+# define a policy
+class PostPolicy < ApplicationPolicy
+  def show?
+    user.admin? || record.author_id == user.id
+  end
+end
+
+# use the policy in your guard policy object
+class GraphqlPolicy
+  RULES = {
+    PostType => {
+      '*': ->(post, ctx) { PostPolicy.new(ctx[:current_user], post).show? },
+    }
+  }
+
+  def self.guard(type, field)
+    RULES.dig(type, field)
+  end
+end
+```
+
 ## Installation
 
 Add this line to your application's Gemfile:

data/lib/graphql/guard.rb

@@ -9,13 +9,15 @@ GraphQL::Field.accepts_definitions(guard: GraphQL::Define.assign_metadata_key(:g
 module GraphQL
   class Guard
     ANY_FIELD_NAME = :'*'
+    DEFAULT_NOT_AUTHORIZED = ->(type, field) { raise NotAuthorizedError.new("#{type}.#{field}") }
 
     NotAuthorizedError = Class.new(StandardError)
 
-    attr_reader :policy_object
+    attr_reader :policy_object, :not_authorized
 
-    def initialize(policy_object: nil)
+    def initialize(policy_object: nil, not_authorized: DEFAULT_NOT_AUTHORIZED)
       @policy_object = policy_object
+      @not_authorized = not_authorized
     end
 
     def use(schema_definition)
@@ -35,9 +37,12 @@ module GraphQL
           elsif type_guard_proc
             type_guard_proc.call(object, context)
           end
-        raise NotAuthorizedError.new("#{type}.#{field.name}") unless authorized
 
-        old_resolve_proc.call(object, arguments, context)
+        if authorized
+          old_resolve_proc.call(object, arguments, context)
+        else
+          not_authorized.call(type, field.name.to_sym)
+        end
       end
 
       field.redefine { resolve(new_resolve_proc) }

data/lib/graphql/guard/version.rb

@@ -2,6 +2,6 @@
 
 module GraphQL
   class Guard
-    VERSION = "0.2.0"
+    VERSION = "0.3.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: graphql-guard
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - exAspArk