gitlab-org--gitlab-foss/lib/gitlab/graphql/authorize/authorize_resource.rb

# frozen_string_literal: true

module Gitlab
  module Graphql
    module Authorize
      module AuthorizeResource
        extend ActiveSupport::Concern
        ConfigurationError = Class.new(StandardError)

        RESOURCE_ACCESS_ERROR = "The resource that you are attempting to access does " \
          "not exist or you don't have permission to perform this action"

        class_methods do
          def required_permissions
            # If the `#authorize` call is used on multiple classes, we add the
            # permissions specified on a subclass, to the ones that were specified
            # on its superclass.
            @required_permissions ||= if respond_to?(:superclass) && superclass.respond_to?(:required_permissions)
                                        superclass.required_permissions.dup
                                      else
                                        []
                                      end
          end

          def authorize(*permissions)
            required_permissions.concat(permissions)
          end

          def authorizes_object?
            defined?(@authorizes_object) ? @authorizes_object : false
          end

          def authorizes_object!
            @authorizes_object = true
          end

          def raise_resource_not_available_error!(msg = RESOURCE_ACCESS_ERROR)
            raise ::Gitlab::Graphql::Errors::ResourceNotAvailable, msg
          end
        end

        def find_object(*args)
          raise NotImplementedError, "Implement #find_object in #{self.class.name}"
        end

        def authorized_find!(*args, **kwargs)
          object = Graphql::Lazy.force(find_object(*args, **kwargs))

          authorize!(object)

          object
        end

        def authorize!(object)
          raise_resource_not_available_error! unless authorized_resource?(object)
        end

        def authorized_resource?(object)
          raise ConfigurationError, "#{self.class.name} has no authorizations" if self.class.authorization.none?

          self.class.authorization.ok?(object, current_user)
        end

        def raise_resource_not_available_error!(*args)
          self.class.raise_resource_not_available_error!(*args)
        end
      end
    end
  end
end
Enable even more frozen string in lib/gitlab Enables frozen string for the following: * lib/gitlab/fogbugz_import/*/.rb * lib/gitlab/gfm/*/.rb * lib/gitlab/git/*/.rb * lib/gitlab/gitaly_client/*/.rb * lib/gitlab/gitlab_import/*/.rb * lib/gitlab/google_code_import/*/.rb * lib/gitlab/gpg/*/.rb * lib/gitlab/grape_logging/*/.rb * lib/gitlab/graphql/*/.rb * lib/gitlab/graphs/*/.rb * lib/gitlab/hashed_storage/*/.rb * lib/gitlab/health_checks/*/.rb Partially address gitlab-org/gitlab-ce#47424. 2018-11-09 13:39:43 -05:00			`# frozen_string_literal: true`

Add mutation toggling WIP state of merge requests This is mainly the setup of mutations for GraphQL. Including authorization and basic return type-structure. 2018-07-10 10:19:45 -04:00			`module Gitlab`
			`module Graphql`
			`module Authorize`
			`module AuthorizeResource`
			`extend ActiveSupport::Concern`
Add latest changes from gitlab-org/gitlab@master 2021-03-18 02:11:52 -04:00			`ConfigurationError = Class.new(StandardError)`
Add mutation toggling WIP state of merge requests This is mainly the setup of mutations for GraphQL. Including authorization and basic return type-structure. 2018-07-10 10:19:45 -04:00
Add latest changes from gitlab-org/gitlab@master 2021-03-18 02:11:52 -04:00			`RESOURCE_ACCESS_ERROR = "The resource that you are attempting to access does " \`
			`"not exist or you don't have permission to perform this action"`
Add latest changes from gitlab-org/gitlab@master 2019-12-13 04:08:01 -05:00
Improve GraphQL Authorization DSL Previously GraphQL field authorization happened like this: class ProjectType field :my_field, MyFieldType do authorize :permission end end This change allowed us to authorize like this instead: class ProjectType field :my_field, MyFieldType, authorize: :permission end A new initializer registers the `authorize` metadata keyword on GraphQL Schema Objects and Fields, and we can collect this data within the context of Instrumentation like this: field.metadata[:authorize] The previous functionality of authorize is still being used for mutations, as the #authorize method here is called at during the code that executes during the mutation, rather than when a field resolves. https://gitlab.com/gitlab-org/gitlab-ce/issues/57828 2019-02-17 20:19:49 -05:00			`class_methods do`
			`def required_permissions`
			# If the `#authorize` call is used on multiple classes, we add the
			`# permissions specified on a subclass, to the ones that were specified`
Add latest changes from gitlab-org/gitlab@master 2021-03-18 02:11:52 -04:00			`# on its superclass.`
			`@required_permissions \|\|= if respond_to?(:superclass) && superclass.respond_to?(:required_permissions)`
Improve GraphQL Authorization DSL Previously GraphQL field authorization happened like this: class ProjectType field :my_field, MyFieldType do authorize :permission end end This change allowed us to authorize like this instead: class ProjectType field :my_field, MyFieldType, authorize: :permission end A new initializer registers the `authorize` metadata keyword on GraphQL Schema Objects and Fields, and we can collect this data within the context of Instrumentation like this: field.metadata[:authorize] The previous functionality of authorize is still being used for mutations, as the #authorize method here is called at during the code that executes during the mutation, rather than when a field resolves. https://gitlab.com/gitlab-org/gitlab-ce/issues/57828 2019-02-17 20:19:49 -05:00			`superclass.required_permissions.dup`
			`else`
			`[]`
			`end`
			`end`

			`def authorize(*permissions)`
			`required_permissions.concat(permissions)`
			`end`
Add latest changes from gitlab-org/gitlab@master 2021-03-18 02:11:52 -04:00
			`def authorizes_object?`
			`defined?(@authorizes_object) ? @authorizes_object : false`
			`end`

			`def authorizes_object!`
			`@authorizes_object = true`
			`end`

			`def raise_resource_not_available_error!(msg = RESOURCE_ACCESS_ERROR)`
			`raise ::Gitlab::Graphql::Errors::ResourceNotAvailable, msg`
			`end`
Add mutation toggling WIP state of merge requests This is mainly the setup of mutations for GraphQL. Including authorization and basic return type-structure. 2018-07-10 10:19:45 -04:00			`end`

			`def find_object(*args)`
			`raise NotImplementedError, "Implement #find_object in #{self.class.name}"`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-10-11 23:08:20 -04:00			`def authorized_find!(args, *kwargs)`
			`object = Graphql::Lazy.force(find_object(args, *kwargs))`
Upgrade GraphQL gem to 1.8.17 - Due to https://github.com/exAspArk/batch-loader/pull/32, we changed BatchLoader.for into BatchLoader::GraphQL.for - since our results are wrapped in a BatchLoader::GraphQL, calling `sync` during authorization is required to get real object - `graphql` now has it's own authorization system. Our `authorized?` method conflicted and required renaming 2019-09-04 13:42:48 -04:00
Add mutation toggling WIP state of merge requests This is mainly the setup of mutations for GraphQL. Including authorization and basic return type-structure. 2018-07-10 10:19:45 -04:00			`authorize!(object)`

			`object`
			`end`

			`def authorize!(object)`
Add latest changes from gitlab-org/gitlab@master 2021-03-18 02:11:52 -04:00			`raise_resource_not_available_error! unless authorized_resource?(object)`
Add mutation toggling WIP state of merge requests This is mainly the setup of mutations for GraphQL. Including authorization and basic return type-structure. 2018-07-10 10:19:45 -04:00			`end`

Upgrade GraphQL gem to 1.8.17 - Due to https://github.com/exAspArk/batch-loader/pull/32, we changed BatchLoader.for into BatchLoader::GraphQL.for - since our results are wrapped in a BatchLoader::GraphQL, calling `sync` during authorization is required to get real object - `graphql` now has it's own authorization system. Our `authorized?` method conflicted and required renaming 2019-09-04 13:42:48 -04:00			`def authorized_resource?(object)`
Add latest changes from gitlab-org/gitlab@master 2021-03-18 02:11:52 -04:00			`raise ConfigurationError, "#{self.class.name} has no authorizations" if self.class.authorization.none?`
Sanity check for GraphQL authorized? Raise an exception if a developer calls any of the GraphQL authorization methods and a `authorize :permission` is missing from a mutation class. Previously `authorized?` would return `true` in this situation, which although technically is accurate is not what a developer is intending. 2019-06-21 01:09:02 -04:00
Add latest changes from gitlab-org/gitlab@master 2021-03-18 02:11:52 -04:00			`self.class.authorization.ok?(object, current_user)`
Add mutation toggling WIP state of merge requests This is mainly the setup of mutations for GraphQL. Including authorization and basic return type-structure. 2018-07-10 10:19:45 -04:00			`end`
Add latest changes from gitlab-org/gitlab@master 2019-12-13 04:08:01 -05:00
Add latest changes from gitlab-org/gitlab@master 2021-03-18 02:11:52 -04:00			`def raise_resource_not_available_error!(*args)`
			`self.class.raise_resource_not_available_error!(*args)`
Add latest changes from gitlab-org/gitlab@master 2019-12-13 04:08:01 -05:00			`end`
Add mutation toggling WIP state of merge requests This is mainly the setup of mutations for GraphQL. Including authorization and basic return type-structure. 2018-07-10 10:19:45 -04:00			`end`
			`end`
			`end`
			`end`