debian-mirror-gitlab/lib/gitlab/graphql/authorize/authorize_resource.rb

74 lines
2.4 KiB
Ruby
Raw Normal View History

2019-02-15 15:39:39 +05:30
# frozen_string_literal: true
2018-11-18 11:00:15 +05:30
module Gitlab
module Graphql
module Authorize
module AuthorizeResource
extend ActiveSupport::Concern
2021-04-29 21:17:54 +05:30
ConfigurationError = Class.new(StandardError)
2018-11-18 11:00:15 +05:30
2021-04-29 21:17:54 +05:30
RESOURCE_ACCESS_ERROR = "The resource that you are attempting to access does " \
"not exist or you don't have permission to perform this action"
2020-01-01 13:55:28 +05:30
2019-07-07 11:18:12 +05:30
class_methods do
def required_permissions
# If the `#authorize` call is used on multiple classes, we add the
# permissions specified on a subclass, to the ones that were specified
2021-04-29 21:17:54 +05:30
# on its superclass.
@required_permissions ||= if respond_to?(:superclass) && superclass.respond_to?(:required_permissions)
2019-07-07 11:18:12 +05:30
superclass.required_permissions.dup
else
[]
end
end
def authorize(*permissions)
required_permissions.concat(permissions)
end
2021-04-29 21:17:54 +05:30
def authorizes_object?
defined?(@authorizes_object) ? @authorizes_object : false
end
def authorizes_object!
@authorizes_object = true
end
def raise_resource_not_available_error!(msg = RESOURCE_ACCESS_ERROR)
raise ::Gitlab::Graphql::Errors::ResourceNotAvailable, msg
end
2018-11-18 11:00:15 +05:30
end
def find_object(*args)
raise NotImplementedError, "Implement #find_object in #{self.class.name}"
end
2021-01-03 14:25:43 +05:30
def authorized_find!(*args, **kwargs)
object = Graphql::Lazy.force(find_object(*args, **kwargs))
2019-12-04 20:38:33 +05:30
2018-11-18 11:00:15 +05:30
authorize!(object)
object
end
2021-04-29 21:17:54 +05:30
# authorizes the object using the current class authorization.
2018-11-18 11:00:15 +05:30
def authorize!(object)
2021-04-29 21:17:54 +05:30
raise_resource_not_available_error! unless authorized_resource?(object)
2018-11-18 11:00:15 +05:30
end
2019-12-04 20:38:33 +05:30
def authorized_resource?(object)
2019-09-30 21:07:59 +05:30
# Sanity check. We don't want to accidentally allow a developer to authorize
# without first adding permissions to authorize against
2021-04-29 21:17:54 +05:30
raise ConfigurationError, "#{self.class.name} has no authorizations" if self.class.authorization.none?
2019-09-30 21:07:59 +05:30
2021-04-29 21:17:54 +05:30
self.class.authorization.ok?(object, current_user)
2018-11-18 11:00:15 +05:30
end
2020-01-01 13:55:28 +05:30
2021-04-29 21:17:54 +05:30
def raise_resource_not_available_error!(*args)
self.class.raise_resource_not_available_error!(*args)
2020-01-01 13:55:28 +05:30
end
2018-11-18 11:00:15 +05:30
end
end
end
end