Skip to content
Action Policy integration for GraphQL
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin init: scaffold gem May 20, 2019
gemfiles
lib Bump 0.1.0 [ci skip] May 21, 2019
spec fix: do not use transform_keys in specs May 21, 2019
.gitignore init: scaffold gem May 20, 2019
.rubocop.yml init: scaffold gem May 20, 2019
.travis.yml init: scaffold gem May 20, 2019
CHANGELOG.md Bump 0.1.0 [ci skip] May 21, 2019
Gemfile init: scaffold gem May 20, 2019
LICENSE.txt init: scaffold gem May 20, 2019
README.md readme: add post link [ci skip] May 22, 2019
Rakefile init: scaffold gem May 20, 2019
action_policy-graphql.gemspec init: scaffold gem May 20, 2019

README.md

Gem Version Build Status Documentation

Action Policy GraphQL

This gem provides an integration for using Action Policy as an authorization framework for GraphQL applications (built with graphql ruby gem).

This integration includes the following features:

📑 Documentation

Sponsored by Evil Martians

Installation

Add this line to your application's Gemfile:

gem "action_policy-graphql", "~> 0.1"

And then execute:

$ bundle

Usage

NOTE: this is a quick overview of the functionality provided by the gem. For more information see the documentation.

To start using Action Policy in GraphQL-related code, you need to enhance your base classes with ActionPolicy::GraphQL::Behaviour:

# For fields authorization, lists scoping and rules exposing
class Types::BaseObject < GraphQL::Schema::Object
  include ActionPolicy::GraphQL::Behaviour
end

# For using authorization helpers in mutations
class Types::BaseMutation < GraphQL::Schema::Mutation
  include ActionPolicy::GraphQL::Behaviour
end

authorize: *

You can add authorization to the fields by specifying the authorize: * option:

field :home, Home, null: false, authorize: true do
  argument :id, ID, required: true
end

# field resolver method
def home(id:)
  Home.find(id)
end

The code above is equal to:

field :home, Home, null: false do
  argument :id, ID, required: true
end

def home(id:)
  Home.find(id).tap { |home| authorize! home, to: :show? }
end

You can customize the authorization options, e.g. authorize: {to: :preview?, with: CustomPolicy}.

authorized_scope: *

You can add authorized_scope: true option to the field (list or connection field) to apply the corresponding policy rules to the data:

class CityType < ::Common::Graphql::Type
  # It would automatically apply the relation scope from the EventPolicy to
  # the relation (city.events)
  field :events, EventType.connection_type, null: false, authorized_scope: true

  # you can specify the policy explicitly
  field :events, EventType.connection_type, null: false, authorized_scope: {with: CustomEventPolicy}
end

expose_authorization_rules

You can add permissions/authorization exposing fields to "tell" clients which actions could be performed against the object or not (and why).

For example:

class ProfileType < ::Common::Graphql::Type
  # Adds can_edit, can_destroy fields with
  # AuthorizationResult type.

  # NOTE: prefix "can_" is used by default, no need to specify it explicitly
  expose_authorization_rules :edit?, :destroy?, prefix: "can_"
end

Then the client could perform the following query:

{
  post(id: $id) {
    canEdit {
      # (bool) true|false; not null
      value
      # top-level decline message ("Not authorized" by default); null if value is true
      message
      # detailed information about the decline reasons; null if value is true
      reasons {
        details # JSON-encoded hash of the failure reasons (e.g., {"event" => [:seats_available?]})
        fullMessages # Array of human-readable reasons (e.g., ["This event is sold out"])
      }
    }

    canDestroy {
      # ...
    }
  }
}

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/palkan/action_policy-graphql.

License

The gem is available as open source under the terms of the MIT License.

You can’t perform that action at this time.