verify_authorized
pdfrod opened this issue · 2 comments
pdfrod commented
Is there any equivalent to verify_authorized? This is a must to helps us not forget to verify authorization.
palkan commented
We haven't added a built-in support for that to the gem but used the following in a couple of projects (described in this RailsConf talk:
- Add callbacks support to resolvers by including this module:
module ResolverCallbacks
def self.included(base)
base.include ActiveSupport::Callbacks
base.define_callbacks :resolve
base.resolve_method :resolve_with_callbacks
base.extend ClassMethods
end
def resolve_with_callbacks(**kwargs)
run_callbacks(:resolve) { resolve(**kwargs) }
end
module ClassMethods
def before_resolve(*args, &block)
set_callback :resolve, :before, *args, &block
end
def after_resolve(*args, &block)
set_callback :resolve, :after, *args, &block
end
end
end- Add
verify_authorizedcallback to a base mutation class:
class BaseMutation < GraphQL::Schema::RelayClassicMutation
include ResolverCallbacks
after_resolve do
raise "Unauthorized mutation" unless @authorization_performed
end
def authorize!(*)
@authorization_performed = true
super
end
# Call this method if you don't need to authorize the mutation
def skip_authorization!
@authorization_performed = true
end
endpalkan commented
Closed by palkan/action_policy@ebe90aa