graphql-pundit 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,21 @@
1
+ Metrics/BlockLength:
2
+ Exclude:
3
+ - 'spec/**/*'
4
+
5
+ Layout/AlignParameters:
6
+ Enabled: false
7
+
8
+ Layout/DotPosition:
9
+ EnforcedStyle: trailing
10
+
11
+ Layout/MultilineMethodCallIndentation:
12
+ EnforcedStyle: indented
13
+
14
+ Layout/SpaceInsideHashLiteralBraces:
15
+ EnforcedStyle: no_space
16
+
17
+ Style/DoubleNegation:
18
+ Enabled: false
19
+
20
+ Style/TrailingCommaInLiteral:
21
+ EnforcedStyleForMultiline: comma
@@ -0,0 +1 @@
1
+ 2.4.1
@@ -0,0 +1,13 @@
1
+ sudo: required
2
+ dist: trusty
3
+
4
+ language: ruby
5
+
6
+ rvm:
7
+ - 2.4.1
8
+
9
+ notifications:
10
+ email: false
11
+
12
+ script:
13
+ - bundle exec rake
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in graphql-pundit.gemspec
4
+ gemspec
@@ -0,0 +1,21 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) 2017 Tom Gehrke
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in
13
+ all copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21
+ THE SOFTWARE.
@@ -0,0 +1,84 @@
1
+ # GraphQL::Pundit
2
+
3
+
4
+
5
+ ## Installation
6
+
7
+ Add this line to your application's Gemfile:
8
+
9
+ ```ruby
10
+ gem 'graphql-pundit', github: 'ontohub/graphql-pundit',
11
+ branch: 'master'
12
+ ```
13
+
14
+ And then execute:
15
+
16
+ ```bash
17
+ $ bundle
18
+ ```
19
+
20
+ ## Usage
21
+
22
+ ### Add the authorization middleware
23
+
24
+ Add the following to your GraphQL schema:
25
+
26
+ ```ruby
27
+ MySchema = GraphQL::Schema.define do
28
+ ...
29
+ instrument(:field, GraphQL::Pundit::Instrumenter.new)
30
+ ...
31
+ end
32
+ ```
33
+
34
+ By default, `ctx[:current_user]` will be used as the user to authorize. To change that behavior, pass a symbol to `GraphQL::Pundit::Instrumenter`.
35
+
36
+ ```ruby
37
+ GraphQL::Pundit::Instrumenter.new(:me) # will use ctx[:me]
38
+ ```
39
+
40
+ ### Authorize fields
41
+
42
+ For each field you want to authorize via Pundit, add the following code to the field definition:
43
+
44
+ ```ruby
45
+ field :email do
46
+ authorize :read_email
47
+ resolve ...
48
+ end
49
+ ```
50
+
51
+ By default, this will use the Policy for the parent object (the first argument passed to the resolve proc), checking for `:read_email?` for the current user.
52
+
53
+ Now, in some cases you'll want to use a different policy, or in case of mutations, the passed object might be `nil`:
54
+
55
+ ```ruby
56
+ field :createUser
57
+ authorize! :create, User
58
+ resolve ...
59
+ end
60
+ ```
61
+
62
+ This will use the `:create?` method of the `UserPolicy`.
63
+
64
+ You might have also noticed the use of `authorize!` instead of `authorize` in this example. The difference between the two is this:
65
+
66
+ - `authorize` will set the field to `nil` if authorization fails
67
+ - `authorize!` will set the field to `nil` and add an error to the response if authorization fails
68
+
69
+ You would normally want to use `authorize` for fields in queries, that only e.g. the owner of something can see, while `authorize!` would be usually used in mutations, where you want to communicate to the client that the operation failed because the user is unauthorized.
70
+ ## Development
71
+
72
+ After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
73
+
74
+ To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
75
+
76
+ ## Contributing
77
+
78
+ Bug reports and pull requests are welcome on GitHub at https://github.com/ontohub/graphql-pundit.
79
+
80
+
81
+ ## License
82
+
83
+ The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
84
+
@@ -0,0 +1,6 @@
1
+ require "bundler/gem_tasks"
2
+ require "rspec/core/rake_task"
3
+
4
+ RSpec::Core::RakeTask.new(:spec)
5
+
6
+ task :default => :spec
@@ -0,0 +1,14 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require "bundler/setup"
4
+ require "graphql/pundit"
5
+
6
+ # You can add fixtures and/or initialization code here to make experimenting
7
+ # with your gem easier. You can also use a different console, if you like.
8
+
9
+ # (If you use this, don't forget to add pry to your Gemfile!)
10
+ # require "pry"
11
+ # Pry.start
12
+
13
+ require "irb"
14
+ IRB.start(__FILE__)
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
@@ -0,0 +1,36 @@
1
+ # coding: utf-8
2
+ # frozen_string_literal: true
3
+
4
+ lib = File.expand_path('../lib', __FILE__)
5
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
6
+ require 'graphql-pundit/version'
7
+
8
+ Gem::Specification.new do |spec|
9
+ spec.name = 'graphql-pundit'
10
+ spec.version = GraphQL::Pundit::VERSION
11
+ spec.authors = ['Ontohub Core Developers']
12
+ spec.email = ['ontohub-dev-l@ovgu.de']
13
+
14
+ spec.summary = 'Pundit authorization support for graphql'
15
+ spec.description = spec.summary
16
+ spec.homepage = 'https://github.com/ontohub/graphql-pundit'
17
+ spec.license = 'MIT'
18
+
19
+ spec.files = `git ls-files -z`.split("\x0").reject do |f|
20
+ f.match(%r{^(test|spec|features)/})
21
+ end
22
+ spec.bindir = 'exe'
23
+ spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
24
+ spec.require_paths = ['lib']
25
+
26
+ spec.add_dependency 'graphql', '~> 1.6.4'
27
+ spec.add_dependency 'pundit', '~> 1.1.0'
28
+
29
+ spec.add_development_dependency 'pry', '~> 0.10.4'
30
+ spec.add_development_dependency 'bundler', '~> 1.14'
31
+ spec.add_development_dependency 'rake', '~> 12.0'
32
+ spec.add_development_dependency 'rspec', '~> 3.6'
33
+ spec.add_development_dependency 'rubocop', '~> 0.49.1'
34
+ spec.add_development_dependency 'simplecov', '~> 0.14.1'
35
+ spec.add_development_dependency 'codecov', '~> 0.1.10'
36
+ end
@@ -0,0 +1,17 @@
1
+ require 'graphql-pundit/instrumenter'
2
+ require 'graphql-pundit/version'
3
+
4
+ require 'graphql'
5
+
6
+ module GraphQL
7
+ def self.assign_authorize(raise_unauthorized)
8
+ lambda do |defn, query, record = nil|
9
+ GraphQL::Define::InstanceDefinable::AssignMetadataKey.new(:authorize).call(
10
+ defn,
11
+ record: record, query: query, raise: raise_unauthorized
12
+ )
13
+ end
14
+ end
15
+ GraphQL::Field.accepts_definitions authorize: assign_authorize(false)
16
+ GraphQL::Field.accepts_definitions authorize!: assign_authorize(true)
17
+ end
@@ -0,0 +1,45 @@
1
+ require 'pundit'
2
+
3
+ module GraphQL
4
+ module Pundit
5
+ class Instrumenter
6
+ attr_reader :current_user
7
+
8
+ def initialize(current_user = :current_user)
9
+ @current_user = current_user
10
+ end
11
+
12
+ def instrument(_type, field)
13
+ if field.metadata[:authorize]
14
+ old_resolve = field.resolve_proc
15
+ resolve_proc = resolve_proc(current_user,
16
+ old_resolve,
17
+ field.metadata[:authorize])
18
+ field.redefine do
19
+ resolve resolve_proc
20
+ end
21
+ else
22
+ field
23
+ end
24
+ end
25
+
26
+ def resolve_proc(current_user, old_resolve, options)
27
+ lambda do |obj, args, ctx|
28
+ query = options[:query].to_s + '?'
29
+ record = options[:record] || obj
30
+ begin
31
+ unless ::Pundit.authorize(ctx[current_user], record, query)
32
+ raise ::Pundit::NotAuthorizedError
33
+ end
34
+ old_resolve.call(obj, args, ctx)
35
+ rescue ::Pundit::NotAuthorizedError
36
+ if options[:raise]
37
+ raise GraphQL::ExecutionError,
38
+ "You're not authorized to do this"
39
+ end
40
+ end
41
+ end
42
+ end
43
+ end
44
+ end
45
+ end
@@ -0,0 +1,5 @@
1
+ module GraphQL
2
+ module Pundit
3
+ VERSION = '0.1.0'.freeze
4
+ end
5
+ end
metadata ADDED
@@ -0,0 +1,189 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: graphql-pundit
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - Ontohub Core Developers
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2017-08-07 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: graphql
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: 1.6.4
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: 1.6.4
27
+ - !ruby/object:Gem::Dependency
28
+ name: pundit
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: 1.1.0
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: 1.1.0
41
+ - !ruby/object:Gem::Dependency
42
+ name: pry
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: 0.10.4
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: 0.10.4
55
+ - !ruby/object:Gem::Dependency
56
+ name: bundler
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - "~>"
60
+ - !ruby/object:Gem::Version
61
+ version: '1.14'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - "~>"
67
+ - !ruby/object:Gem::Version
68
+ version: '1.14'
69
+ - !ruby/object:Gem::Dependency
70
+ name: rake
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - "~>"
74
+ - !ruby/object:Gem::Version
75
+ version: '12.0'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - "~>"
81
+ - !ruby/object:Gem::Version
82
+ version: '12.0'
83
+ - !ruby/object:Gem::Dependency
84
+ name: rspec
85
+ requirement: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - "~>"
88
+ - !ruby/object:Gem::Version
89
+ version: '3.6'
90
+ type: :development
91
+ prerelease: false
92
+ version_requirements: !ruby/object:Gem::Requirement
93
+ requirements:
94
+ - - "~>"
95
+ - !ruby/object:Gem::Version
96
+ version: '3.6'
97
+ - !ruby/object:Gem::Dependency
98
+ name: rubocop
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - "~>"
102
+ - !ruby/object:Gem::Version
103
+ version: 0.49.1
104
+ type: :development
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - "~>"
109
+ - !ruby/object:Gem::Version
110
+ version: 0.49.1
111
+ - !ruby/object:Gem::Dependency
112
+ name: simplecov
113
+ requirement: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - "~>"
116
+ - !ruby/object:Gem::Version
117
+ version: 0.14.1
118
+ type: :development
119
+ prerelease: false
120
+ version_requirements: !ruby/object:Gem::Requirement
121
+ requirements:
122
+ - - "~>"
123
+ - !ruby/object:Gem::Version
124
+ version: 0.14.1
125
+ - !ruby/object:Gem::Dependency
126
+ name: codecov
127
+ requirement: !ruby/object:Gem::Requirement
128
+ requirements:
129
+ - - "~>"
130
+ - !ruby/object:Gem::Version
131
+ version: 0.1.10
132
+ type: :development
133
+ prerelease: false
134
+ version_requirements: !ruby/object:Gem::Requirement
135
+ requirements:
136
+ - - "~>"
137
+ - !ruby/object:Gem::Version
138
+ version: 0.1.10
139
+ description: Pundit authorization support for graphql
140
+ email:
141
+ - ontohub-dev-l@ovgu.de
142
+ executables: []
143
+ extensions: []
144
+ extra_rdoc_files: []
145
+ files:
146
+ - ".gitignore"
147
+ - ".hound.yml"
148
+ - ".rspec"
149
+ - ".rubocop.yml"
150
+ - ".rubocop_disabled.yml"
151
+ - ".rubocop_enabled.yml"
152
+ - ".rubocop_modified.yml"
153
+ - ".ruby-version"
154
+ - ".travis.yml"
155
+ - Gemfile
156
+ - LICENSE.txt
157
+ - README.md
158
+ - Rakefile
159
+ - bin/console
160
+ - bin/setup
161
+ - graphql-pundit.gemspec
162
+ - lib/graphql-pundit.rb
163
+ - lib/graphql-pundit/instrumenter.rb
164
+ - lib/graphql-pundit/version.rb
165
+ homepage: https://github.com/ontohub/graphql-pundit
166
+ licenses:
167
+ - MIT
168
+ metadata: {}
169
+ post_install_message:
170
+ rdoc_options: []
171
+ require_paths:
172
+ - lib
173
+ required_ruby_version: !ruby/object:Gem::Requirement
174
+ requirements:
175
+ - - ">="
176
+ - !ruby/object:Gem::Version
177
+ version: '0'
178
+ required_rubygems_version: !ruby/object:Gem::Requirement
179
+ requirements:
180
+ - - ">="
181
+ - !ruby/object:Gem::Version
182
+ version: '0'
183
+ requirements: []
184
+ rubyforge_project:
185
+ rubygems_version: 2.6.11
186
+ signing_key:
187
+ specification_version: 4
188
+ summary: Pundit authorization support for graphql
189
+ test_files: []