how to authorize scope at resolver level
lifeiscontent opened this issue · 3 comments
Hey @palkan I'm currently in the process of creating a resolver that takes an argument called type
and depending on the type there are different types of authorization scopes I want to apply, however, I'm not sure how or if there's a way to either access resolver arguments in a policy, or how to apply different behaviors of a policy depending on the resolver arguments.
here's an example:
def feed(type:)
ArticlePolicy.public if type == "PUBLIC"
ArticlePolicy.personalized if type == "PERSONALIZED"
endthe intent here is depending on which feed is being queried, I want to limit the kind of articles shown. e.g. if they want to see the public feed, they see all public articles, but if they want to see a personalized feed of articles of all the people they follow, then it'll only show those.
How would you approach something like this with ActionPolicy?
Hey!
Sorry for the late response.
How would you approach something like this with ActionPolicy?
I would update my GraphQL schema to not depend on type (e.g., publicFeed and myFeed). That's what makes sense to me.
And I had no other option but to use a single resolver, I would use named scopes for that
authorized_scope Feed.all, as: type == "PUBLIC" ? :public : :personal
# then in your policy
relation_scope(:public) { ... }
relation_scope(:personal) { ... }
```@palkan this filtering by type seems to be common and also a example in the Apollo Client docs. https://www.apollographql.com/docs/react/pagination/key-args/
It might be worth trying to find a more ergonomic api in action policy to handle this case.
Thanks for your advice, always appreciated!
also a example in the Apollo Client docs.
Well, I'd say that the fact that Apollo recommends it doesn't mean that's a good practice 🙂
find a more ergonomic api in action policy to handle this case.
Then, named scopes is the way to go.