Commit graph

3 commits

Author SHA1 Message Date
Luke Duncalfe
8207f7877f GraphQL Type authorization
Enables authorizations to be defined on GraphQL Types.

    module Types
      class ProjectType < BaseObject
        authorize :read_project
      end
    end

If a field has authorizations defined on it, and the return type of the
field also has authorizations defined on it. then all of the combined
permissions in the authorizations will be checked and must pass.

Connection fields are checked by "digging" to find the type class of the
"node" field in the expected location of edges->node.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54417
2019-04-03 14:36:33 +13:00
Bob Van Landuyt
58aaa766a4 Types::BaseField accepts authorize after reload
When working on files in `app/graphql` the code correctly gets
autoloaded.

However, the redefined `Types::BaseField` would never receive the
`.accepts_definition` call, causing all queries after a reload to
fail. Calling `.accepts_definition` on its superclass makes sure the
reloaded version also has the `authorize` definition specified.
2019-03-04 11:19:28 +01:00
Luke Duncalfe
ccb4edbca1 Improve GraphQL Authorization DSL
Previously GraphQL field authorization happened like this:

    class ProjectType
      field :my_field, MyFieldType do
        authorize :permission
      end
    end

This change allowed us to authorize like this instead:

    class ProjectType
      field :my_field, MyFieldType, authorize: :permission
    end

A new initializer registers the `authorize` metadata keyword on GraphQL
Schema Objects and Fields, and we can collect this data within the
context of Instrumentation like this:

    field.metadata[:authorize]

The previous functionality of authorize is still being used for
mutations, as the #authorize method here is called at during the code
that executes during the mutation, rather than when a field resolves.

https://gitlab.com/gitlab-org/gitlab-ce/issues/57828
2019-02-26 10:22:12 +13:00