Add object authorization before resolution when there is no query aut…

…horization
jungsoft · Nov 30, 2020 · e16bb67 · e16bb67
1 parent a5bcb27
commit e16bb67
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 0 deletions.
diff --git a/lib/schema.ex b/lib/schema.ex
@@ -42,12 +42,22 @@ defmodule Rajska.Schema do
       {{QueryAuthorization, :call}, _config} = query_authorization, new_middlewares ->
         [ObjectAuthorization, query_authorization] ++ new_middlewares
 
+      {{Absinthe.Resolution, :call}, _config} = resolution, new_middlewares ->
+        add_object_authorization_if_not_yet_present(resolution, new_middlewares)
+
       middleware, new_middlewares ->
         [middleware | new_middlewares]
     end)
     |> Enum.reverse()
   end
 
+  defp add_object_authorization_if_not_yet_present(resolution, new_middlewares) do
+    case Enum.member?(new_middlewares, ObjectAuthorization) do
+      true -> [resolution | new_middlewares]
+      false -> [resolution, ObjectAuthorization] ++ new_middlewares
+    end
+  end
+
   @spec add_field_authorization(
     [Middleware.spec(), ...],
     Field.t(),

diff --git a/test/middlewares/schema_test.exs b/test/middlewares/schema_test.exs
@@ -252,4 +252,69 @@ defmodule Rajska.SchemaTest do
       {:ok, _result} = Absinthe.run("{ getUser }", Schema, context: %{current_user: nil})
     end
   end
+
+  test "Adds object authorization after query authorization" do
+    defmodule SchemaQueryAndObjectAuthorization do
+      use Absinthe.Schema
+
+      def context(ctx), do: Map.put(ctx, :authorization, Authorization)
+
+      def middleware(middleware, field, %{identifier: identifier})
+      when identifier in [:query, :mutation] do
+        middleware
+        |> Rajska.add_query_authorization(field, Authorization)
+        |> Rajska.add_object_authorization()
+        |> check_middlewares()
+      end
+
+      def middleware(middleware, _field, _object), do: middleware
+
+      def check_middlewares(middlewares) do
+        assert [
+          {Absinthe.Middleware.Telemetry, []},
+          {{Rajska.QueryAuthorization, :call}, [permit: :all]},
+          Rajska.ObjectAuthorization,
+          {{Absinthe.Resolution, :call}, _fn}
+        ] = middlewares
+      end
+
+      query do
+        field :get_user, :string do
+          middleware Rajska.QueryAuthorization, permit: :all
+          resolve fn _args, _info -> {:ok, "bob"} end
+        end
+      end
+    end
+  end
+
+  test "Adds object authorization before resolution when there is no query authorization" do
+    defmodule SchemaObjectAuthorization do
+      use Absinthe.Schema
+
+      def context(ctx), do: Map.put(ctx, :authorization, Authorization)
+
+      def middleware(middleware, _field, %{identifier: identifier})
+      when identifier in [:query, :mutation] do
+        middleware
+        |> Rajska.add_object_authorization()
+        |> check_middlewares()
+      end
+
+      def middleware(middleware, _field, _object), do: middleware
+
+      def check_middlewares(middlewares) do
+        assert [
+          {Absinthe.Middleware.Telemetry, []},
+          Rajska.ObjectAuthorization,
+          {{Absinthe.Resolution, :call}, _fn}
+        ] = middlewares
+      end
+
+      query do
+        field :get_user, :string do
+          resolve fn _args, _info -> {:ok, "bob"} end
+        end
+      end
+    end
+  end
 end