Skip to content

MatthewChang/graphql-versioning

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
lib/graphql
lib/graphql
 
 
spec
spec
 
 
.gitignore
.gitignore
 
 
.rspec
.rspec
 
 
Gemfile
Gemfile
 
 
MIT-LICENSE
MIT-LICENSE
 
 
README.md
README.md
 
 
graphql-versioning.gemspec
graphql-versioning.gemspec
 
 

Repository files navigation

graphql-authorization

Gem Version

An authorization framework for graphql-ruby

Installation

Install from RubyGems by adding it to your Gemfile, then bundling.

# Gemfile
gem 'graphql-authorization'
$ bundle install

Setup

Add the instrumentation to your graphql schema definition

Schema = GraphQL::Schema.define do
  #Enables authorization
  instrument(:field, GraphQL::Authorization::Instrumentation.new)
  query QueryType
  mutation MutationType
end

Change your query runner to inject an ability (discussed below) into the context

Schema.execute(query, context: { ability: GraphqlAbility.new(current_user) })

Usage

Permission are defined by an ability class which must impliment an ability method

class GraphAbility < GraphQL::Authorization::Ability
  def ability(user)
    allowed QueryType
  end
end

The user object that the ability class is instantiated with passed in as the only argument. Function calls in this method define the access of the user. The ability specifies which types and fields are allowed to be read/computed by the user. If a type is not allowed, an exception is raised if any fields in the query resolve to that type. If a field is not allowed, an exception is raised if that field is requested in the query. These permissions can be computed dynamically using the context of the query.

allowed

Setting a query as allowed permits access to all fields on the query

class GraphAbility < GraphQL::Authorization::Ability
  def ability(user)
    allowed QueryType
    allowed BookType
  end
end

allows me to query any field on any book

permit

To specify more fine grained authorization you can call permit on a type and pass either additional arguments, or a block

class AbilityExample < GraphQL::Authorization::Ability
  def ability(user)
    allowed QueryType
    permit BookType, execute: true, only: [:id, :pages]
  end
end

the above allows me to execute fields which return BookType, and query only the :id and :pages fields

class AbilityExample < GraphQL::Authorization::Ability
  def ability(user)
    allowed QueryType
    permit BookType do
      execute true
      access :id
      access :pages, ->(book) { book.page_count.even? }
    end
  end
end

the above allows me to execute fields which return BookType, and query only the :id field and the :pages field only if the object in the query (book) has an even page count.

Tests

Run tests with rspec

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

About

Whole api versioning for graphql-ruby

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages