graphql-pundit2 0.9.1

data/lib/graphql-pundit/authorization.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require 'graphql-pundit/common'
+
+module GraphQL
+  module Pundit
+    # Authorization methods to be included in the used Field class
+    module Authorization
+      def self.prepended(base)
+        base.include(GraphQL::Pundit::Common)
+      end
+
+      # rubocop:disable Metrics/ParameterLists
+      def initialize(*args, authorize: nil,
+                     record: nil,
+                     policy: nil,
+                     **kwargs, &block)
+        # rubocop:enable Metrics/ParameterLists
+        # authorize! is not a valid variable name
+        authorize_bang = kwargs.delete(:authorize!)
+        @record = record if record
+        @policy = policy if policy
+        @authorize = authorize_bang || authorize
+        @do_raise = !!authorize_bang
+        super(*args, policy: policy, record: record, **kwargs, &block)
+      end
+
+      def authorize(*args, record: nil, policy: nil)
+        @authorize = args[0] || true
+        @record = record if record
+        @policy = policy if policy
+      end
+
+      def authorize!(*args, record: nil, policy: nil)
+        @do_raise = true
+        authorize(*args, record: record, policy: policy)
+      end
+
+      def resolve(obj, args, ctx)
+        raise ::Pundit::NotAuthorizedError unless do_authorize(obj, args, ctx)
+
+        super(obj, args, ctx)
+      rescue ::Pundit::NotAuthorizedError
+        raise GraphQL::ExecutionError, "You're not authorized to do this" if @do_raise
+      end
+
+      alias resolve_field resolve
+
+      private
+
+      def do_authorize(root, arguments, context)
+        return true unless @authorize
+        return @authorize.call(root, arguments, context) if callable? @authorize
+
+        query = infer_query(@authorize)
+        record = infer_record(@record, root, arguments, context)
+        policy = infer_policy(@policy, record, arguments, context)
+
+        policy.new(context[self.class.current_user], record).public_send query
+      end
+
+      def infer_query(auth_value)
+        # authorize can be callable, true (for inference) or a policy query
+        query = auth_value.equal?(true) ? method_sym : auth_value
+        "#{query}?"
+      end
+
+      def infer_record(record, root, arguments, context)
+        # record can be callable, nil (for inference) or just any other value
+        if callable?(record)
+          record.call(root, arguments, context)
+        elsif record.equal?(nil)
+          root
+        else
+          record
+        end
+      end
+
+      def infer_policy(policy, record, arguments, context)
+        # policy can be callable, nil (for inference) or a policy class
+        if callable?(policy)
+          policy.call(record, arguments, context)
+        elsif policy.equal?(nil)
+          infer_from = model?(record) ? record.model : record
+          infer_from = object?(record) ? record.object : infer_from
+          ::Pundit::PolicyFinder.new(infer_from).policy!
+        else
+          policy
+        end
+      end
+    end
+  end
+end

data/lib/graphql-pundit/common.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module GraphQL
+  module Pundit
+    # Common methods used for authorization and scopes
+    module Common
+      # Class methods to be included in the Field class
+      module ClassMethods
+        def current_user(current_user = nil)
+          return @current_user unless current_user
+
+          @current_user = current_user
+        end
+      end
+
+      def self.included(base)
+        @current_user = :current_user
+        base.extend(ClassMethods)
+      end
+
+      def callable?(thing)
+        thing.respond_to?(:call)
+      end
+
+      def model?(thing)
+        thing.respond_to?(:model)
+      end
+
+      def object?(thing)
+        thing.respond_to?(:object)
+      end
+    end
+  end
+end

data/lib/graphql-pundit/field.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'graphql'
+require 'graphql-pundit/authorization'
+require 'graphql-pundit/scope'
+
+module GraphQL
+  # Our custom pundit module
+  module Pundit
+    # Field class that contains authorization and scope behavior
+    # This only works with graphql >= 1.8.0
+    class Field < GraphQL::Schema::Field
+      prepend GraphQL::Pundit::Scope
+      prepend GraphQL::Pundit::Authorization
+    end
+  end
+end

data/lib/graphql-pundit/instrumenter.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'pundit'
+require 'graphql-pundit/instrumenters/authorization'
+require 'graphql-pundit/instrumenters/before_scope'
+require 'graphql-pundit/instrumenters/after_scope'
+
+module GraphQL
+  module Pundit
+    # Intrumenter combining the authorization and scope instrumenters
+    class Instrumenter
+      attr_reader :current_user,
+                  :authorization_instrumenter,
+                  :before_scope_instrumenter,
+                  :after_scope_instrumenter
+
+      def initialize(current_user = :current_user)
+        @current_user = current_user
+        @authorization_instrumenter =
+          Instrumenters::Authorization.new(current_user)
+        @before_scope_instrumenter =
+          Instrumenters::BeforeScope.new(current_user)
+        @after_scope_instrumenter = Instrumenters::AfterScope.new(current_user)
+      end
+
+      def instrument(type, field)
+        before_scoped_field = before_scope_instrumenter.instrument(type, field)
+        after_scoped_field = after_scope_instrumenter
+          .instrument(type, before_scoped_field)
+        authorization_instrumenter.instrument(type, after_scoped_field)
+      end
+    end
+  end
+end

data/lib/graphql-pundit/instrumenters/after_scope.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'pundit'
+require_relative 'scope'
+
+module GraphQL
+  module Pundit
+    module Instrumenters
+      # Instrumenter that supplies `after_scope`
+      class AfterScope < Scope
+        SCOPE_KEY = :after_scope
+
+        # Applies the scoping to the passed object
+        class ScopeResolver < ScopeResolver
+          def call(root, arguments, context)
+            resolver_result = old_resolver.call(root, arguments, context)
+            scope_proc = new_scope(scope)
+            scope_proc.call(resolver_result, arguments, context)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/graphql-pundit/instrumenters/authorization.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require 'pundit'
+
+module GraphQL
+  module Pundit
+    module Instrumenters
+      # Instrumenter that supplies `authorize`
+      class Authorization
+        # This does the actual Pundit authorization
+        class AuthorizationResolver
+          attr_reader :current_user, :old_resolver, :options
+
+          def initialize(current_user, old_resolver, options)
+            @current_user = current_user
+            @old_resolver = old_resolver
+            @options = options
+          end
+
+          def call(root, arguments, context)
+            raise ::Pundit::NotAuthorizedError unless authorize(root, arguments, context)
+
+            old_resolver.call(root, arguments, context)
+          rescue ::Pundit::NotAuthorizedError
+            raise GraphQL::ExecutionError, "You're not authorized to do this" if options[:raise]
+          end
+
+          private
+
+          def authorize(root, arguments, context)
+            if options[:proc]
+              options[:proc].call(root, arguments, context)
+            else
+              record = record(root, arguments, context)
+              ::Pundit::PolicyFinder.new(policy(record)).policy!
+                .new(context[current_user], record).public_send(query)
+            end
+          end
+
+          def query
+            @query ||= "#{options[:query]}?"
+          end
+
+          def policy(record)
+            options[:policy] || record
+          end
+
+          def record(root, arguments, context)
+            if options[:record].respond_to?(:call)
+              options[:record].call(root, arguments, context)
+            else
+              options[:record] || root
+            end
+          end
+        end
+
+        attr_reader :current_user
+
+        def initialize(current_user = :current_user)
+          @current_user = current_user
+        end
+
+        def instrument(_type, field)
+          return field unless field.metadata[:authorize]
+
+          old_resolver = field.resolve_proc
+          resolver = AuthorizationResolver.new(current_user,
+                                               old_resolver,
+                                               field.metadata[:authorize])
+          field.redefine do
+            resolve resolver
+          end
+        end
+      end
+    end
+  end
+end

data/lib/graphql-pundit/instrumenters/before_scope.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require 'pundit'
+require_relative 'scope'
+
+module GraphQL
+  module Pundit
+    module Instrumenters
+      # Instrumenter that supplies `before_scope`
+      class BeforeScope < Scope
+        SCOPE_KEY = :before_scope
+
+        # Applies the scoping to the passed object
+        class ScopeResolver < ScopeResolver
+          def call(root, arguments, context)
+            if field.metadata[:before_scope][:deprecated]
+              Kernel.warn <<~DEPRECATION_WARNING
+                Using `scope` is deprecated and might be removed in the future.
+                Please use `before_scope` or `after_scope` instead.
+              DEPRECATION_WARNING
+            end
+            scope_proc = new_scope(scope)
+            resolver_result = scope_proc.call(root, arguments, context)
+            old_resolver.call(resolver_result, arguments, context)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/graphql-pundit/instrumenters/scope.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require 'pundit'
+
+module GraphQL
+  module Pundit
+    module Instrumenters
+      # Base instrumenter for `before_scope` and `after_scope`
+      class Scope
+        # Applies the scoping to the passed object
+        class ScopeResolver
+          attr_reader :current_user, :scope, :old_resolver, :field
+
+          def initialize(current_user, scope, old_resolver, field)
+            @current_user = current_user
+            @old_resolver = old_resolver
+            @field = field
+
+            raise ArgumentError, 'Invalid value passed to `scope`' unless valid_value?(scope)
+
+            @scope = scope
+          end
+
+          private
+
+          def new_scope(scope)
+            return scope if proc?(scope)
+
+            lambda do |root, _arguments, context|
+              scope = find_scope(root, scope)
+              scope.new(context[current_user], root).resolve
+            end
+          end
+
+          def find_scope(root, scope)
+            if inferred?(scope)
+              # Special case for Sequel datasets that do not respond to
+              # ActiveModel's model_name
+              infer_from = if root.respond_to?(:model)
+                             root.model
+                           else
+                             root
+                           end
+              ::Pundit::PolicyFinder.new(infer_from).scope!
+            else
+              scope::Scope
+            end
+          end
+
+          def valid_value?(value)
+            value.is_a?(Class) || inferred?(value) || proc?(value)
+          end
+
+          def proc?(value)
+            value.respond_to?(:call)
+          end
+
+          def inferred?(value)
+            value == :infer_scope
+          end
+        end
+
+        attr_reader :current_user
+
+        def initialize(current_user = :current_user)
+          @current_user = current_user
+        end
+
+        # rubocop:disable Metrics/MethodLength
+        def instrument(_type, field)
+          # rubocop:enable Metrics/MethodLength
+          scope_metadata = field.metadata[self.class::SCOPE_KEY]
+          return field unless scope_metadata
+
+          scope = scope_metadata[:proc]
+
+          old_resolver = field.resolve_proc
+          resolver = self.class::ScopeResolver.new(current_user,
+                                                   scope,
+                                                   old_resolver,
+                                                   field)
+
+          field.redefine do
+            resolve resolver
+          end
+        end
+      end
+    end
+  end
+end

data/lib/graphql-pundit/scope.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require 'graphql-pundit/common'
+
+module GraphQL
+  module Pundit
+    # Scope methods to be included in the used Field class
+    module Scope
+      def self.prepended(base)
+        base.include(GraphQL::Pundit::Common)
+      end
+
+      # rubocop:disable Metrics/ParameterLists
+      def initialize(*args, policy: nil,
+                     record: nil,
+                     before_scope: nil,
+                     after_scope: nil,
+                     **kwargs, &block)
+        @before_scope = before_scope
+        @after_scope = after_scope
+        @policy = policy
+        @record = record
+        super(*args, **kwargs, &block)
+      end
+
+      # rubocop:enable Metrics/ParameterLists
+
+      def before_scope(scope = true)
+        @before_scope = scope
+      end
+
+      def after_scope(scope = true)
+        @after_scope = scope
+      end
+
+      def resolve(obj, args, ctx)
+        before_scope_return = apply_scope(@before_scope, obj, args, ctx)
+        field_return = super(before_scope_return, args, ctx)
+        apply_scope(@after_scope, field_return, args, ctx)
+      end
+
+      alias resolve_field resolve
+
+      private
+
+      def apply_scope(scope, root, arguments, context)
+        return root unless scope
+
+        record = @record || root
+        return scope.call(record, arguments, context) if scope.respond_to?(:call)
+
+        scope = infer_scope(record) if scope.equal?(true)
+        scope::Scope.new(context[self.class.current_user], record).resolve
+      end
+
+      def infer_scope(root)
+        infer_from = model?(root) ? root.model : root
+        ::Pundit::PolicyFinder.new(infer_from).policy!
+      end
+    end
+  end
+end

data/lib/graphql-pundit/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module GraphQL
+  module Pundit
+    VERSION = '0.9.1'
+  end
+end

data/lib/graphql-pundit2.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'graphql-pundit/instrumenter'
+require 'graphql-pundit/field'
+require 'graphql-pundit/authorization'
+require 'graphql-pundit/scope'
+require 'graphql-pundit/version'
+
+require 'graphql'
+
+# Defines authorization related helpers
+module GraphQL
+  # Defines `authorize` and `authorize!` helpers
+  class AuthorizationHelper
+    attr_reader :raise_unauthorized
+
+    def initialize(raise_unauthorized)
+      @raise_unauthorized = raise_unauthorized
+    end
+
+    def call(defn, *args, policy: nil, record: nil)
+      query = args[0] || defn.name
+      opts = { record: record,
+               query: query,
+               policy: policy,
+               raise: raise_unauthorized }
+      opts = { proc: query, raise: raise_unauthorized } if query.respond_to?(:call)
+      Define::InstanceDefinable::AssignMetadataKey.new(:authorize)
+        .call(defn, opts)
+    end
+  end
+
+  # Defines `scope` helper
+  class ScopeHelper
+    def initialize(before_or_after, deprecated: false)
+      @before_or_after = before_or_after
+      @deprecated = deprecated
+    end
+
+    def call(defn, proc = :infer_scope)
+      opts = { proc: proc, deprecated: @deprecated }
+      Define::InstanceDefinable::AssignMetadataKey
+        .new(:"#{@before_or_after}_scope")
+        .call(defn, opts)
+    end
+  end
+
+  Field.accepts_definitions(authorize: AuthorizationHelper.new(false),
+                            authorize!: AuthorizationHelper.new(true),
+                            after_scope: ScopeHelper.new(:after),
+                            before_scope: ScopeHelper.new(:before),
+                            scope: ScopeHelper.new(:before, deprecated: true))
+end