Module: Gitlab::Graphql::Authorize::AuthorizeResource

Constant Summary collapse

RESOURCE_ACCESS_ERROR =
"The resource that you are attempting to access does not exist or you don't have permission to perform this action"

Instance Method Summary collapse

Instance Method Details

#authorize!(object) ⇒ Object


40
41
42
43
44
# File 'lib/gitlab/graphql/authorize/authorize_resource.rb', line 40

def authorize!(object)
  unless authorized_resource?(object)
    raise_resource_not_available_error!
  end
end

#authorized_find!(*args) ⇒ Object


32
33
34
35
36
37
38
# File 'lib/gitlab/graphql/authorize/authorize_resource.rb', line 32

def authorized_find!(*args)
  object = Graphql::Lazy.force(find_object(*args))

  authorize!(object)

  object
end

#authorized_resource?(object) ⇒ Boolean

this was named `#authorized?`, however it conflicts with the native graphql gem version TODO consider adopting the gem's built in authorization system gitlab.com/gitlab-org/gitlab/issues/13984

Returns:

  • (Boolean)

50
51
52
53
54
55
56
57
58
59
60
61
62
63
# File 'lib/gitlab/graphql/authorize/authorize_resource.rb', line 50

def authorized_resource?(object)
  # Sanity check. We don't want to accidentally allow a developer to authorize
  # without first adding permissions to authorize against
  if self.class.required_permissions.empty?
    raise Gitlab::Graphql::Errors::ArgumentError, "#{self.class.name} has no authorizations"
  end

  self.class.required_permissions.all? do |ability|
    # The actions could be performed across multiple objects. In which
    # case the current user is common, and we could benefit from the
    # caching in `DeclarativePolicy`.
    Ability.allowed?(current_user, ability, object, scope: :user)
  end
end

#find_object(*args) ⇒ Object

Raises:

  • (NotImplementedError)

28
29
30
# File 'lib/gitlab/graphql/authorize/authorize_resource.rb', line 28

def find_object(*args)
  raise NotImplementedError, "Implement #find_object in #{self.class.name}"
end

#raise_resource_not_available_error!Object


65
66
67
# File 'lib/gitlab/graphql/authorize/authorize_resource.rb', line 65

def raise_resource_not_available_error!
  raise Gitlab::Graphql::Errors::ResourceNotAvailable, RESOURCE_ACCESS_ERROR
end