Replace Authorize instrument with gem auth
This changes our GraphQL code to use the built-in `#authorize` methods to handle permissions. We originally implemented this functionality with a field-extension, but this is no longer necessary. This commit replaces that unnecessary field extension with implementations of `BaseObject#authorize` that use our policy framework. Significant changes included here: - field authorization now works as per the library specification: it authorizes against the current object, not the resolved value. To apply permissions to the resolved value, use the type permissions. - we allow resolvers to do the same (opt-in). - we extend authorization to enums (currently no enums use authorization). Note on enums: We don't actually have any authorization on enums, but we need to detect that efficiently. By supporting `ObjectAuthorization`, we can skip redaction now, and support it later (if we add enum members that require special authorization to see). Removals: - The ManualAuthorization temporary class - The synchronized_object method on BaseResolver - Field.authorize DSL method Changes: The error raised when there is no auth becomes an internal server error (ConfigurationError) since it cannot be caused by the client, and represents a programming mistake. The board issue move mutation has unnecessary logic removed, and the test for this is adjusted to verify the correctness of this change. Co-authored-by: Alex Kalderimis <akalderimis@gitlab.com> Co-authored-by: Charlie Ablett <cablett@gitlab.com>
Showing
This diff is collapsed.
Please register or sign in to comment