blob: 6f9de8c38b7067dca1314f5851ad846201f9f95f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
module Gitlab
module Graphql
# Allow fields to declare permissions their objects must have. The field
# will be set to nil unless all required permissions are present.
class Authorize
SETUP_PROC = -> (type, *args) do
type.metadata[:authorize] ||= []
type.metadata[:authorize].concat(args)
end
INSTRUMENT_PROC = -> (schema) do
schema.instrument(:field, new)
end
def self.register!
GraphQL::Schema.accepts_definitions(enable_authorization: INSTRUMENT_PROC)
GraphQL::Field.accepts_definitions(authorize: SETUP_PROC)
end
# Replace the resolver for the field with one that will only return the
# resolved object if the permissions check is successful.
#
# Collections are not supported. Apply permissions checks for those at the
# database level instead, to avoid loading superfluous data from the DB
def instrument(_type, field)
return field unless field.metadata.include?(:authorize)
old_resolver = field.resolve_proc
new_resolver = -> (obj, args, ctx) do
resolved_obj = old_resolver.call(obj, args, ctx)
checker = build_checker(ctx[:current_user], field.metadata[:authorize])
if resolved_obj.respond_to?(:then)
resolved_obj.then(&checker)
else
checker.call(resolved_obj)
end
end
field.redefine do
resolve(new_resolver)
end
end
private
def build_checker(current_user, abilities)
proc do |obj|
# Load the elements if they weren't loaded by BatchLoader yet
obj = obj.sync if obj.respond_to?(:sync)
obj if abilities.all? { |ability| Ability.allowed?(current_user, ability, obj) }
end
end
end
end
end
|
