Exposed authorization rules can't be accessed without user context about action_policy-graphql HOT 5 CLOSED

If you do not require user for all your policy checks, you need to configure your policy classes to allow this behaviour:

class ApplicationPolicy < ActionPolicy::Base
  authorize :user, allow_nil: true
  # or
  authorize :user, optional: true
end

And then in your rules you can check for user.nil?.

from action_policy-graphql.

It also seems like this case of nil user is not tested:

The current_user is always set to something by default in that spec (:user).

I am able to somewhat solve my issue via the Null Object pattern (creating a null user). It's not ideal since I'd rather be able to just query for permissions with a missing context defaulting to false, but here's my current solution:

class GraphqlController < ApplicationController
  def execute
     ...
     context = {
       current_user: Current.user || ::NullUser.new
      }
      ...
  end
end

module Types
  class QueryType < Types::BaseObject
...
    field :viewer, UserType, null: true

    def viewer
      return context[:current_user].is_a?(::NullUser) ? nil : context[:current_user]
    end
...
end

This way from the front-end view, viewer genuinely appears as null, but in Ruby (and thus all places Action Policy checks), the NullUser is used to bypass the missing context errors.

The biggest downside I see is some changes in convention of how the client asks what it's allowed to do. Whereas before I was able to ask if the viewer was able to do something, and differentiate it clearly from whether another user is allowed to:

query {
  viewer {
    canCreateCourses {
        value
    }
  }
}

I now must conventionally define viewer permissions at the root level:

query {
  canCreateCourses {
      value
  }
}

Not the worst trade off in the world. Thoughts? Is this just me working around an action policy bug, or is this how we're expected to handle missing context?

from action_policy-graphql.

@palkan Ah okay, that makes a lot of sense actually—thank you!

I think the documentation could use some clarification (and the specs probably should have a test for nil user with allow_nil/optional as true).

Would you be interested if I started a PR for these documentation/testing enhancements?

from action_policy-graphql.

the specs probably should have a test for nil user with allow_nil/optional as true

We have such tests in the action_policy itself:
https://github.com/palkan/action_policy/blob/863624adefa4a55a4cfc8eb801e873b40d7790e3/test/action_policy/policy/authorization_test.rb#L54-L68

if I started a PR for these documentation/testing enhancements?

Yep, it would be great to enhance allow_nil/optional documentation. Currently, we have just a single note about it without additional information: https://actionpolicy.evilmartians.io/#/authorization_context.

It definitely deserves a sub-section and some examples.

from action_policy-graphql.

Closed by palkan/action_policy@20d68de

from action_policy-graphql.