diff options
author | Kamil Trzciński <ayufan@ayufan.eu> | 2019-02-26 12:05:50 +0300 |
---|---|---|
committer | Kamil Trzciński <ayufan@ayufan.eu> | 2019-02-26 12:05:50 +0300 |
commit | ed5ff8017ed2c4241dcb8dc94f7f9ba46e97a6b7 (patch) | |
tree | 7bcdb70d9e37fad2a1c279a35bfe0143e6b3ece3 /doc/development | |
parent | fb76dfe0d8e9f99731f37c2da5d7cc2522365ceb (diff) | |
parent | ccb4edbca1aa7e94a76a5a8d361af02fd093e1b9 (diff) |
Merge branch '54417-improve-authorize-dsl' into 'master'
Improve GraphQL Authorization DSL
Closes #57828
See merge request gitlab-org/gitlab-ce!25328
Diffstat (limited to 'doc/development')
-rw-r--r-- | doc/development/api_graphql_styleguide.md | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/doc/development/api_graphql_styleguide.md b/doc/development/api_graphql_styleguide.md index 95722c027ba..501092ff2aa 100644 --- a/doc/development/api_graphql_styleguide.md +++ b/doc/development/api_graphql_styleguide.md @@ -12,24 +12,34 @@ add a `HTTP_PRIVATE_TOKEN` header. ### Authorization Fields can be authorized using the same abilities used in the Rails -app. This can be done using the `authorize` helper: +app. This can be done by supplying the `authorize` option: ```ruby module Types class QueryType < BaseObject graphql_name 'Query' - field :project, Types::ProjectType, null: true, resolver: Resolvers::ProjectResolver do - authorize :read_project - end + field :project, Types::ProjectType, null: true, resolver: Resolvers::ProjectResolver, authorize: :read_project end +end +``` + +Fields can be authorized against multiple abilities, in which case all +ability checks must pass. This requires explicitly passing a block to `field`: + +```ruby +field :project, Types::ProjectType, null: true, resolver: Resolvers::ProjectResolver do + authorize [:read_project, :another_ability] +end ``` The object found by the resolve call is used for authorization. -This works for authorizing a single record, for authorizing -collections, we should only load what the currently authenticated user -is allowed to view. Preferably we use our existing finders for that. +TIP: **Tip:** +When authorizing collections, try to load only what the currently +authenticated user is allowed to view with our existing finders first. +This minimizes database queries and unnecessary authorization checks of +the loaded records. ## Types |