• charlie ablett's avatar
    Replace Authorize instrument with gem auth · 8d7a47f8
    charlie ablett authored
    This changes our GraphQL code to use the built-in `#authorize` methods
    to handle permissions.
    
    We originally implemented this functionality with a field-extension,
    but this is no longer necessary. This commit replaces that unnecessary
    field extension with implementations of `BaseObject#authorize` that
    use our policy framework.
    
    Significant changes included here:
    
    - field authorization now works as per the library specification: it
      authorizes against the current object, not the resolved value.
      To apply permissions to the resolved value, use the type permissions.
    - we allow resolvers to do the same (opt-in).
    - we extend authorization to enums (currently no enums use
      authorization).
    
    Note on enums:
    We don't actually have any authorization on enums, but we need to detect
    that efficiently. By supporting `ObjectAuthorization`, we can skip
    redaction now, and support it later (if we add enum members that require
    special authorization to see).
    
    Removals:
    
    - The ManualAuthorization temporary class
    - The synchronized_object method on BaseResolver
    - Field.authorize DSL method
    
    Changes:
    
    The error raised when there is no auth becomes an internal server
    error (ConfigurationError) since it cannot be caused by the client,
    and represents a programming mistake.
    
    The board issue move mutation has unnecessary logic removed, and the
    test for this is adjusted to verify the correctness of this change.
    Co-authored-by: default avatarAlex Kalderimis <akalderimis@gitlab.com>
    Co-authored-by: default avatarCharlie Ablett <cablett@gitlab.com>
    8d7a47f8
gitlab_schema_spec.rb 8.12 KB