Use trace GraphQL API instead of field extension

exAspArk · Apr 8, 2020 · 538a157 · 538a157
1 parent 975c9e3
commit 538a157
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 57 deletions.
diff --git a/lib/graphql/guard.rb b/lib/graphql/guard.rb
@@ -1,14 +1,14 @@
 # frozen_string_literal: true
 
 require "graphql"
-require "graphql/guard/field_extension"
 require "graphql/guard/version"
 
 module GraphQL
   class Guard
     NotAuthorizedError = Class.new(StandardError)
 
     ANY_FIELD_NAME = :'*'
+    EXECUTE_FIELD_EVENTS = %w[execute_field execute_field_lazy]
 
     DEFAULT_NOT_AUTHORIZED = ->(type, field) do
       raise NotAuthorizedError.new("Not authorized to access: #{type.graphql_definition}.#{field}")
@@ -28,16 +28,22 @@ def initialize(policy_object: nil, not_authorized: DEFAULT_NOT_AUTHORIZED)
 
     def use(schema_definition)
       if schema_definition.interpreter?
-        fields(schema_definition).each do |field|
-          field.type_class.extension(GraphQL::Guard::FieldExtension, guard_instance: self)
-        end
+        schema_definition.tracer(self)
       else
         raise "Please use the graphql gem version >= 1.10 with GraphQL::Execution::Interpreter"
       end
 
       add_schema_masking!(schema_definition)
     end
 
+    def trace(event, trace_data)
+      if EXECUTE_FIELD_EVENTS.include?(event)
+        ensure_guarded(trace_data) { yield }
+      else
+        yield
+      end
+    end
+
     def find_guard_proc(type, field)
       inline_guard(field) ||
         policy_object_guard(type, field.name.to_sym) ||
@@ -47,12 +53,6 @@ def find_guard_proc(type, field)
 
     private
 
-    def fields(schema_definition)
-      schema_definition.types.values.flat_map { |type|
-        type.fields.values if type.name && type.respond_to?(:fields)
-      }.compact
-    end
-
     def add_schema_masking!(schema_definition)
       schema_definition.class_eval do
         def self.default_filter
@@ -61,6 +61,18 @@ def self.default_filter
       end
     end
 
+    def ensure_guarded(trace_data)
+      field = trace_data[:field]
+      guard_proc = find_guard_proc(field.owner, field)
+      return yield unless guard_proc
+
+      if guard_proc.call(trace_data[:object], trace_data[:arguments], trace_data[:query].context)
+        yield
+      else
+        not_authorized.call(field.owner, field.name.to_sym)
+      end
+    end
+
     def policy_object_guard(type, field_name)
       @policy_object && @policy_object.guard(type.type_class, field_name)
     end

diff --git a/lib/graphql/guard/field_extension.rb b/lib/graphql/guard/field_extension.rb
diff --git a/spec/fixtures/inline_schema.rb b/spec/fixtures/inline_schema.rb
@@ -33,4 +33,13 @@ class Schema < GraphQL::Schema
     query QueryType
     use GraphQL::Guard.new
   end
+
+  class SchemaWithoutExceptions < GraphQL::Schema
+    use GraphQL::Execution::Interpreter
+    use GraphQL::Analysis::AST
+    query QueryType
+    use GraphQL::Guard.new(not_authorized: ->(type, field) {
+      GraphQL::ExecutionError.new("Not authorized to access #{type.graphql_definition}.#{field}")
+    })
+  end
 end
diff --git a/spec/fixtures/inline_without_exceptions_schema.rb b/spec/fixtures/inline_without_exceptions_schema.rb
diff --git a/spec/graphql/guard_spec.rb b/spec/graphql/guard_spec.rb
@@ -5,7 +5,6 @@
 require 'fixtures/user'
 require 'fixtures/post'
 require 'fixtures/inline_schema'
-require 'fixtures/inline_without_exceptions_schema'
 require 'fixtures/policy_object_schema'
 
 RSpec.describe GraphQL::Guard do
@@ -41,7 +40,7 @@
       user = User.new(id: '1', role: 'not_admin')
       query = "query($userId: ID!) { posts(userId: $userId) { id title } }"
 
-      result = InlineWithoutExceptions::Schema.execute(query, variables: {userId: 1}, context: {current_user: user})
+      result = Inline::SchemaWithoutExceptions.execute(query, variables: {userId: 1}, context: {current_user: user})
 
       expect(result['errors']).to eq([{
         "message" => "Not authorized to access Post.id",