authorize.rb 1.67 KB
Newer Older
Nick Thomas's avatar
Nick Thomas committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55
module Gitlab
  module Graphql
    # Allow fields to declare permissions their objects must have. The field
    # will be set to nil unless all required permissions are present.
    class Authorize
      SETUP_PROC = -> (type, *args) do
        type.metadata[:authorize] ||= []
        type.metadata[:authorize].concat(args)
      end

      INSTRUMENT_PROC = -> (schema) do
        schema.instrument(:field, new)
      end

      def self.register!
        GraphQL::Schema.accepts_definitions(enable_authorization: INSTRUMENT_PROC)
        GraphQL::Field.accepts_definitions(authorize: SETUP_PROC)
      end

      # Replace the resolver for the field with one that will only return the
      # resolved object if the permissions check is successful.
      #
      # Collections are not supported. Apply permissions checks for those at the
      # database level instead, to avoid loading superfluous data from the DB
      def instrument(_type, field)
        return field unless field.metadata.include?(:authorize)

        old_resolver = field.resolve_proc

        new_resolver = -> (obj, args, ctx) do
          resolved_obj = old_resolver.call(obj, args, ctx)
          checker = build_checker(ctx[:current_user], field.metadata[:authorize])

          if resolved_obj.respond_to?(:then)
            resolved_obj.then(&checker)
          else
            checker.call(resolved_obj)
          end
        end

        field.redefine do
          resolve(new_resolver)
        end
      end

      private

      def build_checker(current_user, abilities)
        proc do |obj|
          obj if abilities.all? { |ability| Ability.allowed?(current_user, ability, obj) }
        end
      end
    end
  end
end