Module: Gitlab::Graphql::Authorize::AuthorizeResource

Extended by:

ActiveSupport::Concern

Included in:

Resolvers::Admin::Analytics::InstanceStatistics::MeasurementsResolver, Resolvers::BoardListsResolver, Resolvers::DesignManagement::DesignAtVersionResolver, Resolvers::DesignManagement::Version::DesignAtVersionResolver, Resolvers::DesignManagement::Version::DesignsAtVersionResolver, Resolvers::DesignManagement::VersionInCollectionResolver, Resolvers::DesignManagement::VersionResolver, Resolvers::MilestonesResolver, Resolvers::ProjectMembersResolver, Resolvers::Projects::JiraImportsResolver, Resolvers::Projects::JiraProjectsResolver, Resolvers::Projects::ServicesResolver, Resolvers::UsersResolver

Defined in:

lib/gitlab/graphql/authorize/authorize_resource.rb

Constant Summary

RESOURCE_ACCESS_ERROR =

"The resource that you are attempting to access does not exist or you don't have permission to perform this action"

Instance Method Summary

• #authorize!(object) ⇒ Object
• #authorized_find!(*args) ⇒ Object
• #authorized_resource?(object) ⇒ Boolean

  this was named `#authorized?`, however it conflicts with the native graphql gem version TODO consider adopting the gem's built in authorization system gitlab.com/gitlab-org/gitlab/issues/13984.

• #find_object(*args) ⇒ Object
• #raise_resource_not_available_error! ⇒ Object

Instance Method Details

#authorize!(object) ⇒ Object

# File 'lib/gitlab/graphql/authorize/authorize_resource.rb', line 40

def authorize!(object)
  unless authorized_resource?(object)
    raise_resource_not_available_error!
  end
end

#authorized_find!(*args) ⇒ Object

# File 'lib/gitlab/graphql/authorize/authorize_resource.rb', line 32

def authorized_find!(*args)
  object = Graphql::Lazy.force(find_object(*args))

  authorize!(object)

  object
end

#authorized_resource?(object) ⇒ Boolean

this was named `#authorized?`, however it conflicts with the native graphql gem version TODO consider adopting the gem's built in authorization system gitlab.com/gitlab-org/gitlab/issues/13984

Returns:

• (Boolean)

# File 'lib/gitlab/graphql/authorize/authorize_resource.rb', line 50

def authorized_resource?(object)
  # Sanity check. We don't want to accidentally allow a developer to authorize
  # without first adding permissions to authorize against
  if self.class.required_permissions.empty?
    raise Gitlab::Graphql::Errors::ArgumentError, "#{self.class.name} has no authorizations"
  end

  self.class.required_permissions.all? do |ability|
    # The actions could be performed across multiple objects. In which
    # case the current user is common, and we could benefit from the
    # caching in `DeclarativePolicy`.
    Ability.allowed?(current_user, ability, object, scope: :user)
  end
end

#find_object(*args) ⇒ Object

Raises:

• (NotImplementedError)

# File 'lib/gitlab/graphql/authorize/authorize_resource.rb', line 28

def find_object(*args)
  raise NotImplementedError, "Implement #find_object in #{self.class.name}"
end

#raise_resource_not_available_error! ⇒ Object

Raises:

• (Gitlab::Graphql::Errors::ResourceNotAvailable)

# File 'lib/gitlab/graphql/authorize/authorize_resource.rb', line 65

def raise_resource_not_available_error!
  raise Gitlab::Graphql::Errors::ResourceNotAvailable, RESOURCE_ACCESS_ERROR
end