gitlab-org--gitlab-foss/lib/gitlab/graphql/authorize/instrumentation.rb

# frozen_string_literal: true

module Gitlab
  module Graphql
    module Authorize
      class Instrumentation
        # Replace the resolver for the field with one that will only return the
        # resolved object if the permissions check is successful.
        def instrument(_type, field)
          required_permissions = Array.wrap(field.metadata[:authorize])
          return field if required_permissions.empty?

          old_resolver = field.resolve_proc

          new_resolver = -> (obj, args, ctx) do
            resolved_obj = old_resolver.call(obj, args, ctx)
            checker = build_checker(ctx[:current_user], required_permissions)

            if resolved_obj.respond_to?(:then)
              resolved_obj.then(&checker)
            else
              checker.call(resolved_obj)
            end
          end

          field.redefine do
            resolve(new_resolver)
          end
        end

        private

        def build_checker(current_user, abilities)
          lambda do |value|
            # Load the elements if they weren't loaded by BatchLoader yet
            value = value.sync if value.respond_to?(:sync)

            check = lambda do |object|
              abilities.all? do |ability|
                Ability.allowed?(current_user, ability, object)
              end
            end

            case value
            when Array
              value.select(&check)
            else
              value if check.call(value)
            end
          end
        end
      end
    end
  end
end
Enable even more frozen string in lib/gitlab Enables frozen string for the following: * lib/gitlab/fogbugz_import/*/.rb * lib/gitlab/gfm/*/.rb * lib/gitlab/git/*/.rb * lib/gitlab/gitaly_client/*/.rb * lib/gitlab/gitlab_import/*/.rb * lib/gitlab/google_code_import/*/.rb * lib/gitlab/gpg/*/.rb * lib/gitlab/grape_logging/*/.rb * lib/gitlab/graphql/*/.rb * lib/gitlab/graphs/*/.rb * lib/gitlab/hashed_storage/*/.rb * lib/gitlab/health_checks/*/.rb Partially address gitlab-org/gitlab-ce#47424. 2018-11-09 13:39:43 -05:00			`# frozen_string_literal: true`

Initial setup GraphQL using graphql-ruby 1.8 - All definitions have been replaced by classes: http://graphql-ruby.org/schema/class_based_api.html - Authorization & Presentation have been refactored to work in the class based system - Loaders have been replaced by resolvers - Times are now coersed as ISO 8601 2018-05-23 03:55:14 -04:00			`module Gitlab`
			`module Graphql`
			`module Authorize`
			`class Instrumentation`
			`# Replace the resolver for the field with one that will only return the`
			`# resolved object if the permissions check is successful.`
			`def instrument(_type, field)`
Improve GraphQL Authorization DSL Previously GraphQL field authorization happened like this: class ProjectType field :my_field, MyFieldType do authorize :permission end end This change allowed us to authorize like this instead: class ProjectType field :my_field, MyFieldType, authorize: :permission end A new initializer registers the `authorize` metadata keyword on GraphQL Schema Objects and Fields, and we can collect this data within the context of Instrumentation like this: field.metadata[:authorize] The previous functionality of authorize is still being used for mutations, as the #authorize method here is called at during the code that executes during the mutation, rather than when a field resolves. https://gitlab.com/gitlab-org/gitlab-ce/issues/57828 2019-02-17 20:19:49 -05:00			`required_permissions = Array.wrap(field.metadata[:authorize])`
			`return field if required_permissions.empty?`
Initial setup GraphQL using graphql-ruby 1.8 - All definitions have been replaced by classes: http://graphql-ruby.org/schema/class_based_api.html - Authorization & Presentation have been refactored to work in the class based system - Loaders have been replaced by resolvers - Times are now coersed as ISO 8601 2018-05-23 03:55:14 -04:00
			`old_resolver = field.resolve_proc`

			`new_resolver = -> (obj, args, ctx) do`
			`resolved_obj = old_resolver.call(obj, args, ctx)`
Improve GraphQL Authorization DSL Previously GraphQL field authorization happened like this: class ProjectType field :my_field, MyFieldType do authorize :permission end end This change allowed us to authorize like this instead: class ProjectType field :my_field, MyFieldType, authorize: :permission end A new initializer registers the `authorize` metadata keyword on GraphQL Schema Objects and Fields, and we can collect this data within the context of Instrumentation like this: field.metadata[:authorize] The previous functionality of authorize is still being used for mutations, as the #authorize method here is called at during the code that executes during the mutation, rather than when a field resolves. https://gitlab.com/gitlab-org/gitlab-ce/issues/57828 2019-02-17 20:19:49 -05:00			`checker = build_checker(ctx[:current_user], required_permissions)`
Initial setup GraphQL using graphql-ruby 1.8 - All definitions have been replaced by classes: http://graphql-ruby.org/schema/class_based_api.html - Authorization & Presentation have been refactored to work in the class based system - Loaders have been replaced by resolvers - Times are now coersed as ISO 8601 2018-05-23 03:55:14 -04:00
			`if resolved_obj.respond_to?(:then)`
			`resolved_obj.then(&checker)`
			`else`
			`checker.call(resolved_obj)`
			`end`
			`end`

			`field.redefine do`
			`resolve(new_resolver)`
			`end`
			`end`

			`private`

			`def build_checker(current_user, abilities)`
Allow authorize on array of objects for GraphQL And add tests 2019-02-12 10:30:23 -05:00			`lambda do \|value\|`
Initial setup GraphQL using graphql-ruby 1.8 - All definitions have been replaced by classes: http://graphql-ruby.org/schema/class_based_api.html - Authorization & Presentation have been refactored to work in the class based system - Loaders have been replaced by resolvers - Times are now coersed as ISO 8601 2018-05-23 03:55:14 -04:00			`# Load the elements if they weren't loaded by BatchLoader yet`
Allow authorize on array of objects for GraphQL And add tests 2019-02-12 10:30:23 -05:00			`value = value.sync if value.respond_to?(:sync)`

			`check = lambda do \|object\|`
			`abilities.all? do \|ability\|`
			`Ability.allowed?(current_user, ability, object)`
			`end`
			`end`

Instead of returning all or nothing, return whichever passed And add tests 2019-02-13 12:26:00 -05:00			`case value`
			`when Array`
			`value.select(&check)`
			`else`
			`value if check.call(value)`
			`end`
Initial setup GraphQL using graphql-ruby 1.8 - All definitions have been replaced by classes: http://graphql-ruby.org/schema/class_based_api.html - Authorization & Presentation have been refactored to work in the class based system - Loaders have been replaced by resolvers - Times are now coersed as ISO 8601 2018-05-23 03:55:14 -04:00			`end`
			`end`
			`end`
			`end`
			`end`
			`end`