| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051 |
- # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
- module Gql::Concerns::HandlesAuthorization
- extend ActiveSupport::Concern
- included do
- #
- # Customizable methods
- #
- # Override this method to implement additional handlers.
- def self.before_authorize(...)
- true
- end
- # Override this method if an object requires custom authorization, e.g. based on Pundit.
- def self.authorize(...)
- true # Authorization is granted by default.
- end
- # Helper method to check pundit authorization of the current user for a given object.
- def pundit_authorize!(record, query = :show?)
- Pundit.authorize(context.current_user, record, query)
- end
- # Helper method to check pundit authorization of the current user for a given object.
- def pundit_authorized?(record, query = :show?)
- # Invoke policy directly to get back the actual result,
- # not the original object as returned by 'authorize'.
- Pundit.policy(context.current_user, record).public_send(query)
- end
- #
- # Internal methods
- #
- # This method is used by GraphQL to perform authorization on the various objects.
- def self.authorized?(*)
- # ctx = args[-1] # This may be called with 2 or 3 params, context is last.
- before_authorize(*)
- # Authorize
- authorize(*)
- rescue Pundit::NotAuthorizedError # Map to 'Forbidden'
- raise Exceptions::Forbidden, "Access forbidden by #{name}"
- end
- end
- end
|
