Commit graph

5 commits

Author SHA1 Message Date
Bob Van Landuyt
ed503d51a3 Expose IDs in GraphQL as a GlobalID
This exposes all fields named `id` as GlobalIDs so they can be used
across our entire GraphQL implementation.

When the objects loaded are `ApplicationRecord`s. We'll use our
existing batchloading to find them. Otherwise, we'll fall back to the
default implementation of `GlobalID`: Calling the `.find` method on
the class.
2019-06-03 21:59:25 +02:00
Bob Van Landuyt
eca8e6f09b Only check abilities on rendered GraphQL nodes
With this we only check abilities on the rendered edges of a GraphQL
connection instead of all the nodes in it.
2019-04-18 16:17:29 +02:00
Brett Walker
6643b92b88 Use parent object when authorizing scalar types 2019-04-04 09:03:21 -05:00
Luke Duncalfe
8207f7877f GraphQL Type authorization
Enables authorizations to be defined on GraphQL Types.

    module Types
      class ProjectType < BaseObject
        authorize :read_project
      end
    end

If a field has authorizations defined on it, and the return type of the
field also has authorizations defined on it. then all of the combined
permissions in the authorizations will be checked and must pass.

Connection fields are checked by "digging" to find the type class of the
"node" field in the expected location of edges->node.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54417
2019-04-03 14:36:33 +13:00
Luke Duncalfe
ccb4edbca1 Improve GraphQL Authorization DSL
Previously GraphQL field authorization happened like this:

    class ProjectType
      field :my_field, MyFieldType do
        authorize :permission
      end
    end

This change allowed us to authorize like this instead:

    class ProjectType
      field :my_field, MyFieldType, authorize: :permission
    end

A new initializer registers the `authorize` metadata keyword on GraphQL
Schema Objects and Fields, and we can collect this data within the
context of Instrumentation like this:

    field.metadata[:authorize]

The previous functionality of authorize is still being used for
mutations, as the #authorize method here is called at during the code
that executes during the mutation, rather than when a field resolves.

https://gitlab.com/gitlab-org/gitlab-ce/issues/57828
2019-02-26 10:22:12 +13:00