graphql-pundit 0.6.0 → 0.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 172d8bc2da3de10959960ab5491a12cf507e41556dec8c74838cf0560c86e562
-  data.tar.gz: 648e81f02b53de5860f48940d16ebfaf064bae183211dbfb268dc5ab02cdbf6d
+  metadata.gz: c58e3531c4741bc540930aaed36534a6453619aae97fcbf3d16206aa68c354a5
+  data.tar.gz: f6a1e97460f2c5077934fd1ad2b77dd5598be7cfd7191790c215f0963bbc1f13
 SHA512:
-  metadata.gz: fbe76191f2019c364ce138a8165bab8da762c49207eb32d1923bbe76ae5fdc3107ba5ec2dc34f8e982cf07a6d0d1c2d764a3eb8096a944de9e5bf353aa9e46e3
-  data.tar.gz: c57af68dd07a61fe7c633f2c5c61ed4fff6f9664545bd8f03d570cf0676096fb2d501c2a5ac839335edd6ed1bbd0e8a26f7b3a1ffcce6006ae9632fb4167dd90
+  metadata.gz: 78f956d0d6028d4d13055844814e518b93c3ac2d678fde2fd7a06d3acd63c8055ef3a9b8ead1c6e594af8496a5b37c8e3c8488ba9fb68ae473cab2e3e22bc5fe
+  data.tar.gz: 3b59cb152f50188dc3077490add56b640c5eb7d31cff3da4a3f14ac843f96e28084fe10c2c1d6626bfc8a2bffdb52ad34e455d9ef5fa02d99ce66186f6882251

data/.gitignore

@@ -7,6 +7,7 @@
 /pkg/
 /spec/reports/
 /tmp/
+/.vscode/
 
 # rspec failure tracking
 .rspec_status

data/.rubocop.yml

@@ -13,11 +13,15 @@ AllCops:
     - 'bin/setup'
     - 'bin/spring'
     - 'bin/update'
+    - 'config/deploy/*.rb'
+    - 'config/mixins/applications/*.rb'
+    - 'data/**/*'
     - 'db/schema.rb'
     - 'node_modules/**/*'
     - 'spec/dummy/**/*'
     - 'vendor/**/*'
     - 'repositories/**/*'
+    - 'repos/**/*'
     - 'tmp/**/*'
 
 Layout/AlignParameters:
@@ -50,12 +54,18 @@ Metrics/LineLength:
 
 Naming/FileName:
   Exclude:
+    - config/deploy/*.rb
+    - config/mixins/applications/*.rb
     - lib/git-shell.rb
     - lib/graphql-pundit.rb
     - lib/hets-agent.rb
     - lib/ontohub-models.rb
     - spec/lib/git-shell_spec.rb
 
+Naming/UncommunicativeMethodParamName:
+  Exclude:
+    - 'spec/**/*'
+
 Style/Documentation:
   Exclude:
     - 'app/indexers/**/*'
@@ -83,5 +93,8 @@ Style/SymbolArray:
   Exclude:
     - 'db/migrate/**'
 
-Style/TrailingCommaInLiteral:
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInHashLiteral:
   EnforcedStyleForMultiline: comma

data/.ruby-version

@@ -1 +1 @@
-2.5
+2.5.1

data/.travis.yml

@@ -7,7 +7,7 @@ rvm:
   - 2.2.9
   - 2.3.6
   - 2.4.3
-  - 2.5.0
+  - 2.5.1
 
 notifications:
   email: false

data/README.md

@@ -6,14 +6,12 @@
 
 # GraphQL::Pundit
 
-
-
 ## Installation
 
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'graphql-pundit'
+gem 'graphql-pundit', '~> 0.7.0'
 ```
 
 And then execute:
@@ -22,9 +20,231 @@ And then execute:
 $ bundle
 ```
 
+### Upgrade Notice
+
+If you're upgrading from an earlier version, make sure to delete your
+`bootsnap` cache, to avoid a load error (see
+[this issue](https://github.com/ontohub/graphql-pundit/issues/51)).
+The cache files are usually located in the `tmp` directory in your
+repository and are named `bootsnap-compile-cache` and
+`bootsnap-load-path-cache`.
+
 ## Usage
 
-### Add the authorization middleware
+### Class based API (`graphql-ruby >= 1.8`)
+
+To use `graphql-pundit` with the class based API introduced in `graphql`
+version 1.8, the used `Field` class must be changed:
+
+It is recommended to have application-specific base classes, from which the
+other types inherit (similar to having an `ApplicationController` from which
+all other controllers inherit). That base class can be used to define a
+custom field class, on which the new `graphql-pundit` API builds.
+
+```ruby
+class BaseObject < GraphQL::Schema::Object
+  field_class GraphQL::Pundit::Field
+end
+```
+
+All other object types now inherit from `BaseObject`, and that is all that is
+needed to get `graphql-pundit` working with the class based API.
+
+In case you already use a custom field type, or if you want to use a context
+key other than `:current_user` to make your current user available, you can
+include `graphql-pundit`'s functionality into your field type:
+
+```ruby
+class MyFieldType < GraphQL::Schema::Field
+  prepend GraphQL::Pundit::Scope
+  prepend GraphQL::Pundit::Authorization
+
+  current_user :me # if the current_user is passed in as context[:me]
+end
+```
+
+When using this, make sure the order of `prepend`s is correct, as you usually want the authorization to happen **first**, which means that it needs to be `prepend`ed **after** the scopes (if you need them).
+
+#### Usage
+
+```ruby
+class Car < BaseObject
+  field :trunk, CarContent, null: true,
+                            authorize: true
+end
+```
+
+The above example shows the most basic usage of this gem. The example would
+use `CarPolicy#trunk?` for authorizing access to the field, passing in the
+parent object (in this case probably a `Car` model).
+
+##### Options
+
+Two styles of declaring fields is supported:
+
+1. the inline style, passing all the options as a hash to the field method
+2. the block style
+
+Both styles are presented below side by side.
+
+###### `authorize` and `authorize!`
+
+To use authorization on a field, you **must** pass either the `authorize` or
+`authorize!` option. Both options will cause the field to return `nil` if the
+access is unauthorized, but `authorize!` will also add an error message (e.g.
+for usage with mutations).
+
+`authorize` and `authorize!` can be passed three different things:
+
+```ruby
+class User < BaseObject
+  # will use the `UserPolicy#display_name?` method
+  field :display_name, ..., authorize: true
+  field :display_name, ... do
+    authorize
+  end
+
+  # will use the passed lambda instead of a policy method
+  field :password_hash, ..., authorize: ->(obj, args, ctx) { ... }
+  field :password_hash, ... do
+    authorize ->(obj, args, ctx) { ... }
+  end
+
+  # will use the `UserPolicy#personal_info?` method
+  field :email, ..., authorize: :personal_info
+  field :email, ... do
+    authorize :personal_info
+  end
+end
+```
+
+- `true` will trigger the inference mechanism, meaning that the method that will be called on the policy class will be inferred from the (snake_case) field name.
+- a lambda function that will be called with the parent object, the arguments of the field and the context object; if the lambda returns a truthy value, authorization succeeds; otherwise (including thrown exceptions), authorization fails
+- a string or a symbol that corresponds to the policy method that should be called **minus the "?"**
+
+###### `policy`
+
+`policy` is an optional argument that can also be passed three different values:
+
+```ruby
+class User < BaseObject
+  # will use the `UserPolicy#display_name?` method (default inference)
+  field :display_name, ..., authorize: true, policy: nil
+  field :display_name do
+    authorize policy: nil
+  end
+
+  # will use OtherUserPolicy#password_hash?
+  field :password_hash, ...,
+                        authorize: true,
+                        policy: ->(obj, args, ctx) { OtherUserPolicy }
+  field :password_hash, ... do
+    authorize policy: ->(obj, args, ctx) { OtherUserPolicy }
+  end
+
+  # will use MemberPolicy#email?
+  field :email, ..., authorize: true, policy: MemberPolicy
+  field :email, ... do
+    authorize policy: MemberPolicy
+  end
+end
+```
+
+- `nil` is the default behavior and results in inferring the policy class from the record (see below)
+- a lambda function that will be called with the parent object, the arguments of the field and the context object; the return value of this function will be used as the policy class
+- an actual policy class
+
+###### `record`
+
+`record` can be used to pass a different value to the policy. Like `policy`,
+this argument also can receive three different values:
+
+```ruby
+class User < BaseObject
+  # will use the parent object
+  field :display_name, ..., authorize: true, record: nil
+  field :display_name do
+    authorize record: nil
+  end
+
+  # will use the current user as the record
+  field :password_hash, ...,
+                        authorize: true,
+                        record: ->(obj, args, ctx) { ctx[:current_user] }
+  field :password_hash, ... do
+    authorize record: ->(obj, args, ctx) { ctx[:current_user] }
+  end
+
+  # will use AccountPolicy#email? with the first account as the record (the policy was inferred from the record class)
+  field :email, ..., authorize: true, record: Account.first
+  field :email, ... do
+    authorize record: Account.first
+  end
+end
+```
+
+- `nil` is again used for the inference; in this case, the parent object is used
+- a lambda function, again called with the parent object, the field arguments and the context object; the result will be used as the record
+- any other value that will be used as the record
+
+Using `record` can be helpful for e.g. mutations, where you need a value to
+initialize the policy with, but for mutations there is no parent object.
+
+###### `before_scope` and `after_scope`
+
+`before_scope` and `after_scope` can be used to apply Pundit scopes to the
+fields. Both options can be combined freely within one field. The result of
+`before_scope` is passed to the resolver as the "parent object", while the
+result of `after_scope` is returned as the result of the field.
+
+```ruby
+class User < BaseObject
+  # will use the `PostPolicy::Scope` before the resolver
+  field :posts, ..., before_scope: true
+  field :posts, ... do
+    before_scope
+  end
+
+  # will use the passed lambda after the resolver
+  field :comments, ..., after_scope: ->(comments, args, ctx) { ... }
+  field :comments, ... do
+    after_scope ->(comments, args, ctx) { ... }
+  end
+
+  # will use the `FriendPolicy::Scope`
+  field :friends, ..., after_scope: FriendPolicy
+  field :friends, ... do
+    after_scope FriendPolicy
+  end
+end
+```
+
+- `true` will trigger the inference mechanism, where the policy class, which contains the scope class, is inferred based on either the parent object (for `before_scope`) or the result of the resolver (for `after_scope`).
+- a lambda function, that will be called with the parent object (for `before_scope`) or the result of the resolver (for `after_scope`), the field arguments and the context
+- a policy class that contains a `Scope` class (this does not actually have to be a policy class, but could also be a module containing a `Scope` class)
+
+###### Combining options
+
+All options can be combined with one another (except `authorize` and `authorize!`; please don't do that). Examples:
+
+```ruby
+# MemberPolicy#name? initialized with the parent
+field :display_name, ..., authorize: :name,
+                          policy: MemberPolicy
+
+# UserPolicy#display_name? initialized with user.account_data
+field :display_name, ..., do
+  authorize policy: UserPolicy, 
+            record: ->(obj, args, ctx) { obj.account_data }
+end
+```
+
+### Legacy `define` API
+
+The legacy `define` based API will be supported until it is removed from the
+`graphql` gem (as planned for version 1.10).
+
+#### Add the authorization middleware
 
 Add the following to your GraphQL schema:
 
@@ -42,7 +262,7 @@ By default, `ctx[:current_user]` will be used as the user to authorize. To chang
 GraphQL::Pundit::Instrumenter.new(:me) # will use ctx[:me]
 ```
 
-### Authorize fields
+#### Authorize fields
 
 For each field you want to authorize via Pundit, add the following code to the field definition:
 
@@ -102,7 +322,7 @@ end
 
 If the lambda returns a falsy value or raises a `Pundit::UnauthorizedError` the field will resolve to `nil`, if it returns a truthy value, control will be passed to the resolve function. Of course, this can be used with `authorize!` as well.
 
-### Scopes
+#### Scopes
 
 Pundit scopes are supported by using `before_scope` and `after_scope` in the field definition
 

data/graphql-pundit.gemspec

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'graphql-pundit/version'
 
@@ -22,18 +22,18 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'graphql', '>= 1.6.4', '< 1.8.0'
+  spec.add_dependency 'graphql', '>= 1.6.4', '< 1.10.0'
   spec.add_dependency 'pundit', '~> 1.1.0'
 
   spec.add_development_dependency 'bundler', '~> 1.14'
   spec.add_development_dependency 'codecov', '~> 0.1.10'
   spec.add_development_dependency 'fuubar', '~> 2.3.0'
   spec.add_development_dependency 'pry', '~> 0.11.0'
-  spec.add_development_dependency 'pry-byebug', '~> 3.5.0'
+  spec.add_development_dependency 'pry-byebug', '~> 3.6.0'
   spec.add_development_dependency 'pry-rescue', '~> 1.4.4'
   spec.add_development_dependency 'pry-stack_explorer', '~> 0.4.9.2'
   spec.add_development_dependency 'rake', '~> 12.0'
   spec.add_development_dependency 'rspec', '~> 3.6'
-  spec.add_development_dependency 'rubocop', '~> 0.52.1'
-  spec.add_development_dependency 'simplecov', '~> 0.15.1'
+  spec.add_development_dependency 'rubocop', '~> 0.57.0'
+  spec.add_development_dependency 'simplecov', '~> 0.16.1'
 end

data/lib/graphql-pundit.rb

@@ -1,6 +1,9 @@
 # frozen_string_literal: true
 
 require 'graphql-pundit/instrumenter'
+require 'graphql-pundit/field'
+require 'graphql-pundit/authorization'
+require 'graphql-pundit/scope'
 require 'graphql-pundit/version'
 
 require 'graphql'
@@ -15,9 +18,10 @@ module GraphQL
       @raise_unauthorized = raise_unauthorized
     end
 
-    def call(defn, query = nil, policy: nil, record: nil)
+    def call(defn, *args, policy: nil, record: nil)
+      query = args[0] || defn.name
       opts = {record: record,
-              query: query || defn.name,
+              query: query,
               policy: policy,
               raise: raise_unauthorized}
       if query.respond_to?(:call)

data/lib/graphql-pundit/authorization.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require 'graphql-pundit/common'
+
+module GraphQL
+  module Pundit
+    # Authorization methods to be included in the used Field class
+    module Authorization
+      def self.prepended(base)
+        base.include(GraphQL::Pundit::Common)
+      end
+
+      # rubocop:disable Metrics/ParameterLists
+      def initialize(*args, authorize: nil,
+                            record: nil,
+                            policy: nil,
+                            **kwargs, &block)
+        # rubocop:enable Metrics/ParameterLists
+        # authorize! is not a valid variable name
+        authorize_bang = kwargs.delete(:authorize!)
+        @record = record if record
+        @policy = policy if policy
+        @authorize = authorize_bang || authorize
+        @do_raise = !!authorize_bang
+        super(*args, **kwargs, &block)
+      end
+
+      def authorize(*args, record: nil, policy: nil)
+        @authorize = args[0] || true
+        @record = record if record
+        @policy = policy if policy
+      end
+
+      def authorize!(*args, record: nil, policy: nil)
+        @do_raise = true
+        authorize(*args, record: record, policy: policy)
+      end
+
+      def resolve_field(obj, args, ctx)
+        raise ::Pundit::NotAuthorizedError unless do_authorize(obj, args, ctx)
+        super(obj, args, ctx)
+      rescue ::Pundit::NotAuthorizedError
+        if @do_raise
+          raise GraphQL::ExecutionError, "You're not authorized to do this"
+        end
+      end
+
+      private
+
+      def do_authorize(root, arguments, context)
+        return true unless @authorize
+        return @authorize.call(root, arguments, context) if callable? @authorize
+
+        query = infer_query(@authorize)
+        record = infer_record(@record, root, arguments, context)
+        policy = infer_policy(@policy, record, arguments, context)
+
+        policy.new(context[self.class.current_user], record).public_send query
+      end
+
+      def infer_query(auth_value)
+        # authorize can be callable, true (for inference) or a policy query
+        query = auth_value.equal?(true) ? method_sym : auth_value
+        query.to_s + '?'
+      end
+
+      def infer_record(record, root, arguments, context)
+        # record can be callable, nil (for inference) or just any other value
+        if callable?(record)
+          record.call(root, arguments, context)
+        elsif record.equal?(nil)
+          root
+        else
+          record
+        end
+      end
+
+      def infer_policy(policy, record, arguments, context)
+        # policy can be callable, nil (for inference) or a policy class
+        if callable?(policy)
+          policy.call(record, arguments, context)
+        elsif policy.equal?(nil)
+          infer_from = model?(record) ? record.model : record
+          ::Pundit::PolicyFinder.new(infer_from).policy!
+        else
+          policy
+        end
+      end
+    end
+  end
+end

data/lib/graphql-pundit/common.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module GraphQL
+  module Pundit
+    # Common methods used for authorization and scopes
+    module Common
+      # Class methods to be included in the Field class
+      module ClassMethods
+        def current_user(current_user = nil)
+          return @current_user unless current_user
+          @current_user = current_user
+        end
+      end
+
+      def self.included(base)
+        @current_user = :current_user
+        base.extend(ClassMethods)
+      end
+
+      def callable?(thing)
+        thing.respond_to?(:call)
+      end
+
+      def model?(thing)
+        thing.respond_to?(:model)
+      end
+    end
+  end
+end

data/lib/graphql-pundit/field.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'graphql'
+require 'graphql-pundit/authorization'
+require 'graphql-pundit/scope'
+
+module GraphQL
+  module Pundit
+    if defined?(GraphQL::Schema::Field)
+      # Field class that contains authorization and scope behavior
+      # This only works with graphql >= 1.8.0
+      class Field < GraphQL::Schema::Field
+        prepend GraphQL::Pundit::Scope
+        prepend GraphQL::Pundit::Authorization
+      end
+    end
+  end
+end

data/lib/graphql-pundit/scope.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'graphql-pundit/common'
+
+module GraphQL
+  module Pundit
+    # Scope methods to be included in the used Field class
+    module Scope
+      def self.prepended(base)
+        base.include(GraphQL::Pundit::Common)
+      end
+
+      def initialize(*args, before_scope: nil,
+                            after_scope: nil,
+                            **kwargs, &block)
+        @before_scope = before_scope
+        @after_scope = after_scope
+        super(*args, **kwargs, &block)
+      end
+
+      def before_scope(scope = true)
+        @before_scope = scope
+      end
+
+      def after_scope(scope = true)
+        @after_scope = scope
+      end
+
+      def resolve_field(obj, args, ctx)
+        before_scope_return = apply_scope(@before_scope, obj, args, ctx)
+        field_return = super(before_scope_return, args, ctx)
+        apply_scope(@after_scope, field_return, args, ctx)
+      end
+
+      private
+
+      def apply_scope(scope, root, arguments, context)
+        return root unless scope
+        return scope.call(root, arguments, context) if scope.respond_to?(:call)
+
+        scope = infer_scope(root) if scope.equal?(true)
+        scope::Scope.new(context[self.class.current_user], root).resolve
+      end
+
+      def infer_scope(root)
+        infer_from = model?(root) ? root.model : root
+        ::Pundit::PolicyFinder.new(infer_from).policy!
+      end
+    end
+  end
+end

data/lib/graphql-pundit/version.rb

@@ -2,6 +2,6 @@
 
 module GraphQL
   module Pundit
-    VERSION = '0.6.0'
+    VERSION = '0.7.1'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: graphql-pundit
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.1
 platform: ruby
 authors:
 - Ontohub Core Developers
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-03-19 00:00:00.000000000 Z
+date: 2018-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: graphql
@@ -19,7 +19,7 @@ dependencies:
         version: 1.6.4
     - - "<"
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.10.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: 1.6.4
     - - "<"
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.10.0
 - !ruby/object:Gem::Dependency
   name: pundit
   requirement: !ruby/object:Gem::Requirement
@@ -106,14 +106,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.5.0
+        version: 3.6.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.5.0
+        version: 3.6.0
 - !ruby/object:Gem::Dependency
   name: pry-rescue
   requirement: !ruby/object:Gem::Requirement
@@ -176,28 +176,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.52.1
+        version: 0.57.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.52.1
+        version: 0.57.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.15.1
+        version: 0.16.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.15.1
+        version: 0.16.1
 description: Pundit authorization support for graphql
 email:
 - ontohub-dev-l@ovgu.de
@@ -221,11 +221,15 @@ files:
 - bin/setup
 - graphql-pundit.gemspec
 - lib/graphql-pundit.rb
+- lib/graphql-pundit/authorization.rb
+- lib/graphql-pundit/common.rb
+- lib/graphql-pundit/field.rb
 - lib/graphql-pundit/instrumenter.rb
 - lib/graphql-pundit/instrumenters/after_scope.rb
 - lib/graphql-pundit/instrumenters/authorization.rb
 - lib/graphql-pundit/instrumenters/before_scope.rb
 - lib/graphql-pundit/instrumenters/scope.rb
+- lib/graphql-pundit/scope.rb
 - lib/graphql-pundit/version.rb
 homepage: https://github.com/ontohub/graphql-pundit
 licenses:
@@ -247,7 +251,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.14
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Pundit authorization support for graphql