graphql-pundit 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c2b929e8f4c25ece4d0afbaa33cde63dfc066a4a
-  data.tar.gz: 9cd2e4ecb125ffa2c23f8ed087e1fd3f4a673f67
+  metadata.gz: 6ce932c3e90158e8692934bac208942e9a10faa9
+  data.tar.gz: 87858e55cab3ec052e5756b66ebb5fa2285e4dc8
 SHA512:
-  metadata.gz: 4e8f9deb8f6a921cbfaa30b600e1dee9ffa2de10be06940536ad43a41ce26d4cba7b416acc4fc1bfe78974c3a2b6853b0193cbbeeb8629050aae7c13147e3b11
-  data.tar.gz: 0467ea4815289e93d65bf9c05bf0e4e3071246e57d4deadfff8e413dc296eccffcf6428622a36a4896ba50deff9cfda01f9ea282cbb92c7ce5178dc05d8ab748
+  metadata.gz: 5fd1f0da13f241e13bcf145adadb710f256a36418049b93c56674c1d10dc3cf1d3fc3bf75773eb49fd3b72ff0d1057ec2949d3fd1b5bfebbdb6279641fcbe67a
+  data.tar.gz: 86d4a7a066b99752538caf1e60f554939e514af4a7fe86138ac6d85c5a2a389aef2bb0486f756b90972eb5140e4088854fc682173645b0276ac02f10ed29c077

data/.codeclimate.yml

@@ -0,0 +1,16 @@
+---
+engines:
+  duplication:
+    enabled: true
+    config:
+      languages:
+      - ruby
+  fixme:
+    enabled: false
+  rubocop:
+    enabled: false
+ratings:
+  paths:
+  - "**.rb"
+exclude_paths:
+- spec/

data/.rubocop.yml

@@ -503,7 +503,7 @@ Layout/ExtraSpacing:
 Style/FileName:
   # File names listed in `AllCops:Include` are excluded by default. Add extra
   # excludes here.
-  Exclude: []
+  Exclude: ['lib/graphql-pundit.rb']
   # When `true`, requires that each source file should define a class or module
   # with a name which matches the file name (converted to ... case).
   # It further expects it to be nested inside modules which match the names

data/Gemfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 # Specify your gem's dependencies in graphql-pundit.gemspec

data/README.md

@@ -1,3 +1,10 @@
+[![Gem](https://img.shields.io/gem/v/graphql-pundit.svg)](https://rubygems.org/gems/graphql-pundit)
+[![Build Status](https://travis-ci.org/ontohub/graphql-pundit.svg?branch=master)](https://travis-ci.org/ontohub/graphql-pundit)
+[![Coverage Status](https://codecov.io/gh/ontohub/graphql-pundit/branch/master/graph/badge.svg)](https://codecov.io/gh/ontohub/graphql-pundit)
+[![Code Climate](https://codeclimate.com/github/ontohub/graphql-pundit/badges/gpa.svg)](https://codeclimate.com/github/ontohub/graphql-pundit)
+[![Dependency Status](https://gemnasium.com/badges/github.com/ontohub/graphql-pundit.svg)](https://gemnasium.com/github.com/ontohub/graphql-pundit)
+[![GitHub issues](https://img.shields.io/github/issues/ontohub/graphql-pundit.svg?maxAge=2592000)](https://waffle.io/ontohub/ontohub-backend?source=ontohub%2Fgraphql-pundit)
+
 # GraphQL::Pundit
 
 
@@ -7,8 +14,7 @@
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'graphql-pundit', github: 'ontohub/graphql-pundit',
-                      branch: 'master'
+gem 'graphql-pundit'
 ```
 
 And then execute:
@@ -43,23 +49,30 @@ For each field you want to authorize via Pundit, add the following code to the f
 
 ```ruby
 field :email do
-  authorize :read_email
+  authorize # will use UserPolicy#email?
   resolve ...
 end
 ```
 
-By default, this will use the Policy for the parent object (the first argument passed to the resolve proc), checking for `:read_email?` for the current user.
+By default, this will use the Policy for the parent object (the first argument passed to the resolve proc), checking for `:email?` for the current user. Sometimes, the field name will differ from the policy method name, in which case you can specify it explicitly:
+
+```ruby
+field :email do
+  authorize :read_email # will use UserPolicy#read_email?
+  resolve ...
+end
+```
 
 Now, in some cases you'll want to use a different policy, or in case of mutations, the passed object might be `nil`:
 
 ```ruby
 field :createUser
-  authorize! :create, User
+  authorize! :create, User # or User.new; will use UserPolicy#create?
   resolve ...
 end
 ```
 
-This will use the `:create?` method of the `UserPolicy`.
+This will use the `:create?` method of the `UserPolicy`. You can also pass in objects instead of a class, if you wish to authorize the user for the specific object.
 
 You might have also noticed the use of `authorize!` instead of `authorize` in this example. The difference between the two is this:
 
@@ -67,6 +80,38 @@ You might have also noticed the use of `authorize!` instead of `authorize` in th
 - `authorize!` will set the field to `nil` and add an error to the response if authorization fails
 
 You would normally want to use `authorize` for fields in queries, that only e.g. the owner of something can see, while `authorize!` would be usually used in mutations, where you want to communicate to the client that the operation failed because the user is unauthorized.
+
+If you still need more control over how policies are called, you can pass a lambda to `authorize`:
+
+```ruby
+field :email
+  authorize ->(obj, args, ctx) { UserPolicy.new(obj, ctx[:me]).private_data?(:email) }
+  resolve ...
+end
+```
+
+If the lambda returns a falsy value or raises a `Pundit::UnauthorizedError` the field will resolve to `nil`, if it returns a truthy value, control will be passed to the resolve function. Of course, this can be used with `authorize!` as well.
+
+### Scopes
+
+Pundit scopes are supported by using `scope` in the field definition
+
+```ruby
+field :posts
+  scope
+  resolve ...
+end
+```
+
+By default, this will use the Scope definied in the `PostPolicy`. If you do not want to define a scope inside of the policy, you can also pass a lambda to `scope`. The return value will be passed to `resolve` as first argument.
+
+```ruby
+field :posts
+  scope ->(_root, _args, ctx) { Post.where(owner: ctx[:current_user]) }
+  resolve ->(posts, args, ctx) { ... }
+end
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/Rakefile

@@ -1,6 +1,8 @@
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
 
 RSpec::Core::RakeTask.new(:spec)
 
-task :default => :spec
+task default: :spec

data/bin/console

@@ -1,7 +1,8 @@
+# frozen_string_literal: true
 #!/usr/bin/env ruby
 
-require "bundler/setup"
-require "graphql/pundit"
+require 'bundler/setup'
+require 'graphql/pundit'
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.
@@ -10,5 +11,5 @@ require "graphql/pundit"
 # require "pry"
 # Pry.start
 
-require "irb"
+require 'irb'
 IRB.start(__FILE__)

data/lib/graphql-pundit.rb

@@ -1,17 +1,33 @@
+# frozen_string_literal: true
+
 require 'graphql-pundit/instrumenter'
 require 'graphql-pundit/version'
 
 require 'graphql'
 
+# Define `authorize` and `authorize!` helpers
 module GraphQL
   def self.assign_authorize(raise_unauthorized)
-    lambda do |defn, query, record = nil|
-      GraphQL::Define::InstanceDefinable::AssignMetadataKey.new(:authorize).call(
-        defn,
-        record: record, query: query, raise: raise_unauthorized
-      )
+    lambda do |defn, query = nil, record = nil|
+      opts = {record: record,
+              query: query || defn.name,
+              raise: raise_unauthorized}
+      if query.respond_to?(:call)
+        opts = {proc: query, raise: raise_unauthorized}
+      end
+      Define::InstanceDefinable::AssignMetadataKey.new(:authorize).
+        call(defn, opts)
     end
   end
-  GraphQL::Field.accepts_definitions authorize: assign_authorize(false)
-  GraphQL::Field.accepts_definitions authorize!: assign_authorize(true)
+
+  def self.assign_scope
+    lambda do |defn, proc = :infer_scope|
+      Define::InstanceDefinable::AssignMetadataKey.new(:scope).
+        call(defn, proc)
+    end
+  end
+
+  Field.accepts_definitions(authorize: assign_authorize(false),
+                            authorize!: assign_authorize(true),
+                            scope: assign_scope)
 end

data/lib/graphql-pundit/instrumenter.rb

@@ -1,43 +1,36 @@
+# frozen_string_literal: true
+
 require 'pundit'
+require 'graphql-pundit/instrumenters/authorization'
+require 'graphql-pundit/instrumenters/scope'
 
 module GraphQL
   module Pundit
+    # Intrumenter combining the authorization and scope instrumenters
     class Instrumenter
-      attr_reader :current_user
+      attr_reader :current_user,
+                  :authorization_instrumenter,
+                  :scope_instrumenter
 
       def initialize(current_user = :current_user)
         @current_user = current_user
+        @authorization_instrumenter = Instrumenters::Authorization.
+          new(current_user)
+        @scope_instrumenter = Instrumenters::Scope.new(current_user)
       end
 
-      def instrument(_type, field)
-        if field.metadata[:authorize]
-          old_resolve = field.resolve_proc
-          resolve_proc = resolve_proc(current_user,
-                                      old_resolve,
-                                      field.metadata[:authorize])
-          field.redefine do
-            resolve resolve_proc
-          end
-        else
-          field
-        end
+      def instrument(type, field)
+        scoped_field = scope_instrumenter.instrument(type, field)
+        authorization_instrumenter.instrument(type, scoped_field)
       end
 
-      def resolve_proc(current_user, old_resolve, options)
-        lambda do |obj, args, ctx|
-          query = options[:query].to_s + '?'
-          record = options[:record] || obj
-          begin
-            unless ::Pundit.authorize(ctx[current_user], record, query)
-              raise ::Pundit::NotAuthorizedError
-            end
-            old_resolve.call(obj, args, ctx)
-          rescue ::Pundit::NotAuthorizedError
-            if options[:raise]
-              raise GraphQL::ExecutionError,
-                    "You're not authorized to do this"
-            end
-          end
+      def authorize(current_user, obj, args, ctx, options)
+        if options[:proc]
+          options[:proc].call(obj, args, ctx)
+        else
+          ::Pundit.authorize(ctx[current_user],
+                             options[:record] || obj,
+                             options[:query].to_s + '?')
         end
       end
     end

data/lib/graphql-pundit/instrumenters/authorization.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require 'pundit'
+
+module GraphQL
+  module Pundit
+    module Instrumenters
+      # Instrumenter that supplies `authorize`
+      class Authorization
+        attr_reader :current_user
+
+        def initialize(current_user = :current_user)
+          @current_user = current_user
+        end
+
+        def instrument(_type, field)
+          return field unless field.metadata[:authorize]
+          old_resolve = field.resolve_proc
+          resolve_proc = resolve_proc(current_user,
+                                      old_resolve,
+                                      field.metadata[:authorize])
+          field.redefine do
+            resolve resolve_proc
+          end
+        end
+
+        # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
+        def resolve_proc(current_user, old_resolve, options)
+          # rubocop:enable Metrics/MethodLength, Metrics/AbcSize
+          lambda do |obj, args, ctx|
+            begin
+              result = if options[:proc]
+                         options[:proc].call(obj, args, ctx)
+                       else
+                         query = options[:query].to_s + '?'
+                         record = options[:record] || obj
+                         ::Pundit.authorize(ctx[current_user], record, query)
+                       end
+              raise ::Pundit::NotAuthorizedError unless result
+              old_resolve.call(obj, args, ctx)
+            rescue ::Pundit::NotAuthorizedError
+              if options[:raise]
+                raise GraphQL::ExecutionError,
+                      "You're not authorized to do this"
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/graphql-pundit/instrumenters/scope.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require 'pundit'
+
+module GraphQL
+  module Pundit
+    module Instrumenters
+      # Instrumenter that supplies `scope`
+      class Scope
+        attr_reader :current_user
+
+        def initialize(current_user = :current_user)
+          @current_user = current_user
+        end
+
+        # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
+        def instrument(_type, field)
+          # rubocop:enable Metrics/MethodLength, Metrics/AbcSize
+          scope = field.metadata[:scope]
+          return field unless scope
+          unless valid_value?(scope)
+            raise ArgumentError, 'Invalid value passed to `scope`'
+          end
+
+          old_resolve = field.resolve_proc
+
+          scope_proc = lambda do |obj, _args, ctx|
+            ::Pundit.policy_scope!(ctx[current_user], obj)
+          end
+          scope_proc = scope if proc?(scope)
+
+          field.redefine do
+            resolve(lambda do |obj, args, ctx|
+              new_scope = scope_proc.call(obj, args, ctx)
+              old_resolve.call(new_scope, args, ctx)
+            end)
+          end
+        end
+
+        private
+
+        def valid_value?(value)
+          inferred?(value) || proc?(value)
+        end
+
+        def proc?(value)
+          value.respond_to?(:call)
+        end
+
+        def inferred?(value)
+          value == :infer_scope
+        end
+      end
+    end
+  end
+end

data/lib/graphql-pundit/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module GraphQL
   module Pundit
-    VERSION = '0.1.0'.freeze
+    VERSION = '0.2.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: graphql-pundit
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Ontohub Core Developers
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-08-07 00:00:00.000000000 Z
+date: 2017-09-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: graphql
@@ -143,6 +143,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".codeclimate.yml"
 - ".gitignore"
 - ".hound.yml"
 - ".rspec"
@@ -161,6 +162,8 @@ files:
 - graphql-pundit.gemspec
 - lib/graphql-pundit.rb
 - lib/graphql-pundit/instrumenter.rb
+- lib/graphql-pundit/instrumenters/authorization.rb
+- lib/graphql-pundit/instrumenters/scope.rb
 - lib/graphql-pundit/version.rb
 homepage: https://github.com/ontohub/graphql-pundit
 licenses: