Comments (5)
If you do not require user for all your policy checks, you need to configure your policy classes to allow this behaviour:
class ApplicationPolicy < ActionPolicy::Base
authorize :user, allow_nil: true
# or
authorize :user, optional: true
end
And then in your rules you can check for user.nil?
.
from action_policy-graphql.
It also seems like this case of nil user is not tested:
The current_user is always set to something by default in that spec (:user
).
I am able to somewhat solve my issue via the Null Object pattern (creating a null user). It's not ideal since I'd rather be able to just query for permissions with a missing context defaulting to false
, but here's my current solution:
class GraphqlController < ApplicationController
def execute
...
context = {
current_user: Current.user || ::NullUser.new
}
...
end
end
module Types
class QueryType < Types::BaseObject
...
field :viewer, UserType, null: true
def viewer
return context[:current_user].is_a?(::NullUser) ? nil : context[:current_user]
end
...
end
This way from the front-end view, viewer
genuinely appears as null, but in Ruby (and thus all places Action Policy checks), the NullUser is used to bypass the missing context errors.
The biggest downside I see is some changes in convention of how the client asks what it's allowed to do. Whereas before I was able to ask if the viewer was able to do something, and differentiate it clearly from whether another user is allowed to:
query {
viewer {
canCreateCourses {
value
}
}
}
I now must conventionally define viewer permissions at the root level:
query {
canCreateCourses {
value
}
}
Not the worst trade off in the world. Thoughts? Is this just me working around an action policy bug, or is this how we're expected to handle missing context?
from action_policy-graphql.
@palkan Ah okay, that makes a lot of sense actually—thank you!
I think the documentation could use some clarification (and the specs probably should have a test for nil user with allow_nil/optional as true).
Would you be interested if I started a PR for these documentation/testing enhancements?
from action_policy-graphql.
the specs probably should have a test for nil user with allow_nil/optional as true
We have such tests in the action_policy
itself:
https://github.com/palkan/action_policy/blob/863624adefa4a55a4cfc8eb801e873b40d7790e3/test/action_policy/policy/authorization_test.rb#L54-L68
if I started a PR for these documentation/testing enhancements?
Yep, it would be great to enhance allow_nil/optional
documentation. Currently, we have just a single note about it without additional information: https://actionpolicy.evilmartians.io/#/authorization_context.
It definitely deserves a sub-section and some examples.
from action_policy-graphql.
Closed by palkan/action_policy@20d68de
from action_policy-graphql.
Related Issues (20)
- Figure out mutation/resolver input or arguments authorization HOT 5
- `expose_authorization_rules` Changes HOT 4
- Graphql context in Policies? HOT 2
- Handle record with preauthorize? HOT 2
- verify_authorized HOT 2
- can_create_object? permission location HOT 2
- Allow to use proc for authorized_scope HOT 1
- Lack of expose_authorization_rules for Interface HOT 2
- Raise AuthorizationContextMissing before resolving HOT 8
- AuthorizedField is included (prepended) multiple time into field class
- NoMethodError: undefined method `authorize_mutation_raise_exception'
- Modules reloading works incorrectly in development HOT 1
- Can ruby-next be a development-only dependency like action_policy? HOT 2
- Upgrading graphql Gem to 1.12.4 Causes Connection Error HOT 1
- how to authorize scope at resolver level HOT 3
- expose_authorization_rules with custom context
- Unable to override `authorization_namespace` HOT 11
- ActionPolicy does not work well with graphql-ruby dataloaders (not thread/fiber safe) HOT 7
- Issue with action policy 0.6.6: `undefined method 'relation_scope'` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from action_policy-graphql.