GraphQL Permissions allows you to model permissions directly in your GraphQL schema. It works together with your authorization library to communicate which actions are and are not allowed to your client.
At the highest level, it lets you write queries like this:
query PostById($id: ID!) {
post(id: $id) {
id
body
permissions {
canEdit
canDelete
}
}
}
This helps keep all of your authorization logic in one place, and prevent disagreements between the server and client about whether a user can perform an action.
GraphQL Permissions was designed with the Pundit gem in mind, but should work with most authorization libraries.
Add this line to your application's Gemfile:
gem 'graphql-permissions'
And then execute:
$ bundle install
Or install it yourself as:
$ gem install graphql-permissions
Then run the Rails generator:
$ bin/rails generate graphql:permissions:install
This will create the base permissions object and interface types, as well as an initializer in config/initializers/graphql_permissions.rb
GraphQL Permissions requires a default permission handler callback to be defined by your application. This callback receives the action performed, the object being authorized, and your GraphQL context, and must return a Boolean value to indicate whether the action is or is not allowed.
For example, integration for the Pundit gem might look like so:
GraphQL::Permissions.default_permission_handler = lambda do |action, object, context|
Pundit.policy(context[:current_user], object).send(:"#{action}?")
end
A stub permissions handler callback is defined under config/initializers/graphql_permissions.rb by the Rails generator.
class PostType < Types::BaseObject
field :id, ID, null: false
field :body, String, null: false
permissions do
permission :update
permission :destroy
end
end
The Post GraphQL object will expose a permissions property which returns a PostPermissions object.
Your GraphQL schema would look like:
type Post {
id: ID!
body: String!
permissions: PostPermissions!
}
type PostPermissions {
canUpdate: Boolean!
canDestroy: Boolean!
}
GraphQL interfaces can also define permissions:
module LikeableType
include Types::BaseInterface
field :liked_by_you, Boolean, null: false
permissions do
permission :like
permission :dislike
end
end
The Likeable GraphQL interface will expose a permissions property which returns a LikeablePermissions interface.
Permissions are automatically added to objects that implement an interface which defines permissions. For example:
class PostType < Types::BaseObject
implements LikeableType
# Permissions from `LikeableType` are automatically inherited
end
Now the Post object implements the Likeable interface, and the PostPermissions object will automatically implement the LikeablePermissions interface.
The resulting GraphQL schema would look like:
interface Likeable {
likedByYou: Boolean!
permissions: LikeablePermissions!
}
interface LikeablePermissions {
canLike: Boolean!
canDislike: Boolean!
}
type Post implements Likeable {
id: ID!
body: String!
permissions: PostPermissions!
}
type PostPermissions implements LikeablePermissions {
canUpdate: Boolean!
canDestroy: Boolean!
}
You can also provide a block when defining a permission to include custom permission or data-fetching logic:
class UserType < Types::BaseObject
# ...
permissions do
permission :ban do
context[:current_user].admin? && !object.admin?
end
end
end
After checking out the repo, run bin/setup to install dependencies. You can also run bin/console for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and the created tag, and push the .gem file to rubygems.org.
Bug reports and pull requests are welcome on GitHub at https://github.com/mintyfresh/graphql-permissions.
FAQs
Unknown package
We found that graphql-permissions demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.