No release in over a year
This gem allows you to use a JSON:API implementation (Graphiti) with ActionPolicy
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 2.0
~> 1.8
~> 13.0
~> 3.8
~> 0.41

Runtime

 Project Readme

Action Policy Graphiti

This gem allows you to use Action Policy as an authorization framework for Graphiti applications.

The following features are currently enabled:

  • Authorization of create, update and destroy actions
  • Resource scoping

Installation

Add this line to your application's Gemfile:

gem "action_policy-graphiti"

Usage

The integration is done via including a behaviour module into your Graphiti resources:

class TestResource < ApplicationResource
  include ActionPolicy::Graphiti::Behaviour
end

Authorization of actions is done via using corresponding class methods:

class TestResource < ApplicationResource
  include ActionPolicy::Graphiti::Behaviour
  
  authorize_action :create
  authorize_action :update
  authorize_action :destroy
end

Or certain action shortcuts may be used (pay attention to explicit policies and actions):

class TestResource < ApplicationResource
  include ActionPolicy::Graphiti::Behaviour
  
  authorize_create to: :manage_but_not_destroy?
  authorize_update with: 'TestExplicitPolicy', to: :manage_but_not_destroy?
  authorize_destroy
end

Note: current implementation requires you to use policy names (when specifying explicit policies) instead of classes since it is not guaranteed that policy classes are already loaded before the resource classes load.

Note: current implementation requires you to place authorize_ directives after before_save and before_destroy hooks (since it is adding authorization checks as hooks and we want them to be called after all the regular hooks were completed).

Scoping is done via adding the following class method call (you can specify the explicit policy using with argument):

class TestResource < ApplicationResource
  include ActionPolicy::Graphiti::Behaviour
  
  authorize_scope with: 'TestExplicitPolicy'
  # or just plain authorize_scope 
end

You can also use a handy shortcut (you can also use an explicit with argument just as with other authorize_ class methods) to authorize create, update, destroy methods and also apply scoping:

class TestResource < ApplicationResource
  include ActionPolicy::Graphiti::Behaviour
  
  authorize_and_scope_all with: 'TestExplicitPolicy'
  # or just plain authorize_and_scope_all if you want to deduce the policy class 
end

Note: current implementation requires you to place authorize_scope (and authorize_and_scope_all too) call after the explicit base_scope method (scoping is performed by base scope results modification).

You can also use authorization context building inside Graphiti resources (just like with Action Policy in controllers):

class TestResource < ApplicationResource
  include ActionPolicy::Graphiti::Behaviour
  
  authorize :parameter, through: :acquire_parameter
  
  def acquire_parameter
    # Your code goes here
  end
end

Or in a base class:

class ApplicationResource < Graphiti::Resource
  include ActionPolicy::Graphiti::Behaviour
  
  authorize :parameter, through: :acquire_parameter
  
  def acquire_parameter
    # Your code goes here
  end
end

And then in a corresponding policy:

class ApplicationPolicy < ActionPolicy::Base
  authorize :parameter
end

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/shrimple-tech/action_policy-graphiti.

License

The gem is available as open source under the terms of the MIT License.