Passing mutation arguments to policy

[alexander37137]

Is there a easier way to pass mutation arguments to policy

Right now im wrapping record and arguments to hash

def resolve(id:, attributes:)
    record = Record.find(id)

    authorize!({ record: record, attributes: attributes }, with: RecordPolicy, to: :edit?)

I tried to add attributes to authorization context, but queries also start require attributes even if i made it nullable

authorize :attributes, allow_nil: true

[palkan]

queries also start require attributes even if i made it nullable

Yep, that's a correct behaviour.

User input (attributes) should not affect authorization and could not be a part of authorization context.

What's is your use-case? What do you have in your edit? rule?

[alexander37137]

Some fields in my mutation can be edited only by users with certain roles. In policy i check if those fields changed and users have correct roles

[palkan]

Some fields in my mutation can be edited only by users with certain roles

That sounds very similar to strong parameters. So, I suggest using filtering instead. Something like:

# mutation
def resolve(id:, attributes:)
  record = Record.find(id)
  # check that user has a right to perform this action
  authorize! record, to: :do_something?

  # make sure that user pass correct params
  filtered_attributes = authorized_scope(attributes, type: :gql_input, with: RecordPolicy)

  # do something with filtered_attributes
end

# policy
class RecordPolicy < ApplicationPolicy
  scope_for :gql_input do |input|
    # remove fields depending on the role/permissions
  end
end

Another idea is to make it possible to authorize: true input field:

class Attributes < GraphQL::Schema::InputObject 
  field :a, String, authorize: true
end

[alexander37137]

If I filter mutation attributes, it will be unclear for api user why passed attributes not saving. I want to provide detailed reason of failure with "Failure Reasons" feature.

Authorising input fields is good idea but in some cases i anyway need to check attribute value if only some of values available for user

[palkan]

Got it.

Then it seems that we need to think about adding support for rules arguments:

def rule?(args:)
  # do smth
end

Not sure about the authorize! API:

# allowing to pass arrays in `to:` ?
authorize! record, to: [:rule?, args: arguments] 

# additional keyword argument ?
authorize! record, to: :rule?, with_args: {args: arguments}

[alexander37137]

Another idea is add another flag to authorize: allow_undefined or something like this, which allow to skip context argument
authorize :attributes, allow_nil: true, allow_undefined: true

But i like your idea with rule arguments more.

[somenugget]

Another idea is add another flag to authorize: allow_undefined or something like this, which allow to skip context argument
authorize :attributes, allow_nil: true, allow_undefined: true

But i like your idea with rule arguments more.

Sounds like a good-first-issue 🙂

[somenugget]

Btw, I'm using this workaround

# frozen_string_literal: true

class ApplicationPolicy < ActionPolicy::Base
  def initialize(*args, **params)
    # allow to skip explicit passing {promotable: nil} if `authorize :promotable, allow_nil: true`
    allowed_nil_params = self.class.authorization_targets.each_with_object({}) do |(target, options), nil_params|
      nil_params[target] = nil if options[:allow_nil]
    end

    super(*args, **allowed_nil_params.merge(params))
  end
end

[palkan]

Sounds like a good-first-issue

Yeah)

We can add the following API in addition to the existing allow_nil: true:

authorize :smith, optional: true

@somenugget Would you like to propose a PR?)

[somenugget]

@somenugget Would you like to propose a PR?)

@palkan yep) will do it soon

[palkan]

Closed in favour of palkan/action_policy-graphql#24