Action Policy Graphiti

This gem allows you to use Action Policy as an authorization framework for Graphiti applications.

The following features are currently enabled:

  • Authorization of create, update and destroy actions
  • Resource scoping

This gem is under heavy development so use it at your own risk!

Installation

Add this line to your application's Gemfile:

gem "action_policy-graphiti"

Usage

The integration is done via including a behaviour module into your Graphiti resources:

class TestResource < ApplicationResource
  include ActionPolicy::Graphiti::Behaviour
end

Authorization of actions is done via using corresponding class methods:

class TestResource < ApplicationResource
  include ActionPolicy::Graphiti::Behaviour

  authorize_action :create
  authorize_action :update
  authorize_action :destroy
end

Or certain action shortcuts may be used (pay attention to explicit policies and actions):

class TestResource < ApplicationResource
  include ActionPolicy::Graphiti::Behaviour

  authorize_create to: :manage_but_not_destroy?
  authorize_update with: 'TestExplicitPolicy', to: :manage_but_not_destroy?
  authorize_destroy
end

Note: current implementation requires you to use policy names (when specifying explicit policies) instead of classes since it is not guaranteed that policy classes are already loaded before the resource classes load.

Note: current implementation requires you to place authorize_ directives after before_save and before_destroy hooks (since it is adding authorization checks as hooks and we want them to be called after all the regular hooks were completed).

Scoping is done via adding the following class method call (you can specify the explicit policy using with argument):

class TestResource < ApplicationResource
  include ActionPolicy::Graphiti::Behaviour

  authorize_scope with: 'TestExplicitPolicy'
  # or just plain authorize_scope 
end

You can also use a handy shortcut (you can also use an explicit with argument just as with other authorize_ class methods) to authorize create, update, destroy methods and also apply scoping:

class TestResource < ApplicationResource
  include ActionPolicy::Graphiti::Behaviour

  authorize_and_scope_all with: 'TestExplicitPolicy'
  # or just plain authorize_and_scope_all if you want to deduce the policy class 
end

Note: current implementation requires you to place authorize_scope (and authorize_and_scope_all too) call after the explicit base_scope method (scoping is performed by base scope results modification).

You can also use authorization context building inside Graphiti resources (just like with Action Policy in controllers):

class TestResource < ApplicationResource
  include ActionPolicy::Graphiti::Behaviour

  authorize :parameter, through: :acquire_parameter

  def acquire_parameter
    # Your code goes here
  end
end

Or in a base class:

class ApplicationResource < Graphiti::Resource
  include ActionPolicy::Graphiti::Behaviour

  authorize :parameter, through: :acquire_parameter

  def acquire_parameter
    # Your code goes here
  end
end

And then in a corresponding policy:

class ApplicationPolicy < ActionPolicy::Base
  authorize :parameter
end

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/shrimple-tech/action_policy-graphiti.

License

The gem is available as open source under the terms of the MIT License.