Rajska v1.0.2 Rajska.ObjectScopeAuthorization View Source

Absinthe Phase to perform object scoping.

Authorizes all Absinthe's objects requested in a query by checking the underlying struct.

Usage

Create your Authorization module and add it and ObjectScopeAuthorization to your Absinthe Pipeline. Then set the scope of an object:

object :user do
  # Turn on Object and Field scoping, but if the FieldAuthorization middleware is not included, this is the same as using `scope_object?`
  meta :scope?, true

  field :id, :integer
  field :email, :string
  field :name, :string

  field :company, :company
end

object :company do
  meta :scope_object?, true

  field :id, :integer
  field :user_id, :integer
  field :name, :string
  field :wallet, :wallet
end

object :wallet do
  meta :scope?, true
  meta :rule, :object_authorization

  field :total, :integer
end

To define custom rules for the scoping, use has_user_access?/3. For example:

defmodule Authorization do
  use Rajska,
    valid_roles: [:user, :admin],
    super_role: :admin

  @impl true
  def has_user_access?(%{role: :admin}, %User{}, _rule), do: true
  def has_user_access?(%{id: user_id}, %User{id: id}, _rule) when user_id === id, do: true
  def has_user_access?(_current_user, %User{}, _rule), do: false

  def has_user_access?(%{id: user_id}, %Wallet{user_id: id}, :object_authorization), do: user_id == id
  def has_user_access?(%{id: user_id}, %Wallet{user_id: id}, :always_block), do: false
end

This way different rules can be set to the same struct. See Rajska.Authorization for rule default settings.

Link to this section Summary

Link to this section Functions