update site

Author: rmosolgo

CHANGELOG-pro.md

@@ -8,6 +8,12 @@
 
 ### Bug Fix
 
+## 1.7.10 (10 Aug 2018)
+
+### New Features
+
+- Update `PunditIntegration` for arguments, unions, interfaces and mutations
+
 ## 1.7.9 (9 Aug 2018)
 
 ### New Features

guides/authorization/pundit_integration.md

@@ -10,7 +10,6 @@ pro: true
 
 [GraphQL::Pro](http://graphql.pro) includes an integration for powering GraphQL authorization with [Pundit](https://github.com/varvet/pundit) policies.
 
-
 __Why bother?__ You _could_ put your authorization code in your GraphQL types themselves, but writing a separate authorization layer gives you a few advantages:
 
 - Since the authorization code isn't embedded in GraphQL, you can use the same logic in non-GraphQL (or legacy) parts of the app.
@@ -27,21 +26,33 @@ gem "graphql-pro", ">=1.7.9"
 gem "graphql", ">=1.8.7"
 ```
 
-To use the Pundit integration, include modules into your base object and base field classes, then set a default role:
+Then, `bundle install`.
+
+Whenever you run queries, include `:current_user` in the context:
 
 ```ruby
-class Types::BaseField < GraphQL::Schema::Field
-  # Add the Pundit integration:
-  include GraphQL::Pro::PunditIntegration::FieldIntegration
-  # By default, don't require a role at field-level:
-  pundit_role nil
-end
+context = {
+  current_user: current_user,
+  # ...
+}
+MySchema.execute(..., context: context)
+```
 
-# ...
+And read on about the different features of the integration:
 
-class Types::BaseObject < GraphQL::Schema::Field
-  # Hook up the custom field class:
-  field_class Types::BaseField
+- [Authorizing Objects](#authorizing-objects)
+- [Scoping Lists and Connections](#scopes)
+- [Authorizing Fields](#authorizing-fields)
+- [Authorizing Arguments](#authorizing-arguments)
+- [Authorizing Mutations](#authorizing-mutations)
+
+## Authorizing Objects
+
+You can specify Pundit roles that must be satisfied in order for viewers to see objects of a certain type. To get started, include the `ObjectIntegration` in your base object class:
+
+```ruby
+# app/graphql/types/base_object.rb
+class Types::BaseObject < GraphQL::Schema::Object
   # Add the Pundit integration:
   include GraphQL::Pro::PunditIntegration::ObjectIntegration
   # By default, require staff:
@@ -51,39 +62,18 @@ class Types::BaseObject < GraphQL::Schema::Field
 end
 ```
 
-If you haven't already done so, you should also hook up your base field class to your base interface and base mutation:
-
-```ruby
-module Types::BaseInterface
-  include GraphQL::Schema::Interface
-  field_class Types::BaseField
-end
-
-# And:
-
-class Mutations::BaseMutation < GraphQL::Schema::RelayClassicMutation
-  field_class Types::BaseField
-end
-```
+Now, anyone trying to read a GraphQL object will have to pass the `#staff?` check on that object's policy.
 
-Then, in your query context, always include `current_user:`
+Then, each child class can override that parent configuration. For example, allow _all_ viewers to read the `Query` root:
 
 ```ruby
-context = {
-  current_user: current_user,
-  # ...
-}
-MySchema.execute(..., context: context)
+class Types::Query < Types::BaseObject
+  # Allow anyone to see the query root
+  pundit_role nil
+end
 ```
 
-This will add the following behaviors to your schema:
-
-- Before any object is exposed by GraphQL, it will use a Pundit policy for that object
-- When lists or connections are exposed by GraphQL, it will use a Pundit scope to filter that list
-
-When any Policy method returns `false`, the unauthorized object is passed to {{ "Schema.unauthorized_object" | api_doc }}, as described in {% internal_link "Handling unauthorized objects", "/authorization/authorization#handling-unauthorized-objects" %}.
-
-## Policies and Methods
+#### Policies and Methods
 
 For each object returned by GraphQL, the integration matches it to a policy and method.
 
@@ -102,32 +92,79 @@ end
 
 That configuration will call `#employer_or_self?` on the corresponding Pundit policy.
 
-### Default Method
+#### Bypassing Policies
 
-This configuration is inherited, so you can set a default value in the parent class, for example:
+The integration requires that every object with a `pundit_role` has a corresponding policy class. To allow objects to _skip_ authorization, you can pass `nil` as the role:
 
 ```ruby
-class Types::BaseObject < GraphQL::Schema::Object
-  # By default, restrict all GraphQL objects to internal staff;
-  # override this to allow access to any other users.
-  pundit_role :staff
+class Types::PublicProfile < Types::BaseObject
+  # Anyone can see this
+  pundit_role nil
 end
 ```
 
-### Bypassing Policies
+#### Handling Unauthorized Objects
 
-The integration requires that every object with a `pundit_role` has a corresponding policy class. To allow objects to _skip_ authorization, you can pass `nil` as the role:
+When any Policy method returns `false`, the unauthorized object is passed to {{ "Schema.unauthorized_object" | api_doc }}, as described in {% internal_link "Handling unauthorized objects", "/authorization/authorization#handling-unauthorized-objects" %}.
+
+## Scopes
+
+The Pundit integration adds [Pundit scopes](https://github.com/varvet/pundit#scopes) to GraphQL-Ruby's {% internal_link "list scoping", "/authorization/scoping" %} feature. Any list or connection will be scoped. If a scope is missing, the query will crash rather than risk leaking unfiltered data.
+
+To scope lists of interface or union type, include the integration in your base union class and base interface module:
 
 ```ruby
-class Types::PublicProfile < Types::BaseObject
-  # Anyone can see this
+class BaseUnion < GraphQL::Schema::Union
+  include GraphQL::Pro::PunditIntegration::UnionIntegration
+end
+
+module BaseInterface
+  include GraphQL::Schema::Interface
+  include GraphQL::Pro::PunditIntegration::InterfaceIntegration
+end
+```
+
+Note that Pundit scopes are best for database relations, but don't play well with Arrays. See below for bypassing Pundit if you want to return an Array.
+
+#### Bypassing scopes
+
+To allow an unscoped relation to be returned from a field, disable scoping with `scope: false`, for example:
+
+```ruby
+# Allow anyone to browse the job postings
+field :job_postings, [Types::JobPosting], null: false,
+  scope: false
+```
+
+## Authorizing Fields
+
+You can also require certain checks on a field-by-field basis. First, include the integration in your base field class:
+
+```ruby
+# app/graphql/types/base_field.rb
+class Types::BaseField < GraphQL::Schema::Field
+  # Add the Pundit integration:
+  include GraphQL::Pro::PunditIntegration::FieldIntegration
+  # By default, don't require a role at field-level:
   pundit_role nil
 end
 ```
 
-## Field-level authorization
+If you haven't already done so, you should also hook up your base field class to your base object and base interface:
 
-Sometimes, some fields require higher permission than others. You can add `pundit_role` to `field(...)` calls to specify a method to call. For example:
+```ruby
+# app/graphql/types/base_object.rb
+class Types::BaseObject < GraphQL::Schema::Object
+  field_class Types::BaseField
+end
+# app/graphql/types/base_interface.rb
+module Types::BaseInterface
+  # ...
+  field_class Types::BaseField
+end
+```
+
+Then, you can add `pundit_role:` options to your fields:
 
 ```ruby
 class Types::JobPosting < Types::BaseObject
@@ -141,16 +178,140 @@ class Types::JobPosting < Types::BaseObject
 end
 ```
 
-This way, certain fields can have higher permission requirements.
+It will call the named role (eg, `#staff?`) on the parent object's policy (eg `JobPostingPolicy`).
 
-## Scopes
+## Authorizing Arguments
 
-The Pundit integration adds [Pundit scopes](https://github.com/varvet/pundit#scopes) to GraphQL-Ruby's {% internal_link "list scoping", "/authorization/scoping" %} feature. `ActiveRecord::Relation`s and `Mongoid::Criteria`s will be matched to Policy scopes and filtered accordingly. If a scope is missing, the query will crash rather than risk leaking unfiltered data.
+Similar to field-level checks, you can require certain permissions to _use_ certain arguments. To do this, add the integration to your base argument class:
 
-To allow an unscoped relation to be returned from a field, disable scoping with `scope: false`, for example:
+```ruby
+class Types::BaseArgument < GraphQL::Schema::Argument
+  # Include the integration and default to no permissions required
+  include GraphQL::Pro::PunditIntegration::ArgumentIntegration
+  pundit_role nil
+end
+```
+
+Then, make sure your base argument is hooked up to your base field and base input object:
 
 ```ruby
-# Allow anyone to browse the job postings
-field :job_postings, [Types::JobPosting], null: false,
-  scope: false
+class Types::BaseField < GraphQL::Schema::Field
+  argument_class Types::BaseArgument
+  # PS: see "Authorizing Fields" to make sure your base field is hooked up to objects, intefaces and mutations
+end
+
+class Types::BaseInputObject < GraphQL::Schema::InputObject
+  argument_class Types::BaseArgument
+end
+```
+
+Now, arguments accept a `pundit_role:` option, for example:
+
+```ruby
+class Types::Company < Types::BaseObject
+  field :employees, Types::Employee.connection_type, null: true do
+    # Only admins can filter employees by email:
+    argument :email, String, required: false, pundit_role: :admin
+  end
+end
+```
+
+The role will be called on the parent object's policy, for example `CompanyPolicy#admin?` in the case above.
+
+## Authorizing Mutations
+
+There are a few ways to authorize GraphQL mutations with the Pundit integration:
+
+- Add a [mutation-level roles](#mutation-level-roles)
+- Run checks on [objects loaded by ID](#authorizing-loaded-objects)
+
+Also, you can configure [unauthorized object handling](#unauthorized-mutations)
+
+#### Setup
+
+Add `MutationIntegration` to your base mutation, for example:
+
+```ruby
+class Mutations::BaseMutation < GraphQL::Schema::RelayClassicMutation
+  include GraphQL::Pro::PunditIntegration
+end
+```
+
+Also, you'll probably want a `BaseMutationPayload` where you can set a default role:
+
+```ruby
+class Types::BaseMutationPayload < Types::BaseObject
+  # If `BaseObject` requires some permissions, override that for mutation results.
+  # Assume that anyone who can run a mutation can read their generated result types.
+  pundit_role nil
+end
+```
+
+And hook it up to your base mutation:
+
+```ruby
+class Mutations::BaseMutation < GraphQL::Schema::RelayClassicMutation
+  object_class Types::BaseMutationPayload
+end
+```
+
+#### Mutation-level roles
+
+Each mutation can have a class-level `pundit_role` which will be checked before loading objects or resolving, for example:
+
+```ruby
+class Mutations::PromoteEmployee < Mutations::BaseMutation
+  pundit_role :admin
+end
+```
+
+In the example above, `PromoteEmployeePolicy#admin?` will be checked before running the mutation.
+
+#### Authorizing Loaded Objects
+
+Mutations can automatically load and authorize objects by ID using the `loads:` option.
+
+Beyond the normal [object reading permissions](#authorizing-objects), you can add an additional role for the specific mutation input using a `pundit_role:` option:
+
+```ruby
+class Mutations::FireEmployee < Mutations::BaseMutation
+  argument :employee_id, ID, required: true,
+    loads: Types::Employee,
+    pundit_role: :supervisor,
+end
+```
+
+In the case above, the mutation will halt unless the `EmployeePolicy#supervisor?` method returns true.
+
+#### Unauthorized Mutations
+
+By default, an authorization failure in a mutation will raise a Ruby exception. You can customize this by implementing `#unauthorized_by_pundit(owner, value)` in your base mutation, for example:
+
+```ruby
+class Mutations::BaseMutation < GraphQL::Schema::RelayClassicMutation
+  def unauthorized_by_pundit(owner, value)
+    # No error, just return nil:
+    nil
+  end
+end
+```
+
+The method is called with:
+
+- `owner`: the `GraphQL::Schema::Argument` or mutation class whose role was not satisfied
+- `value`: the object which didn't pass for `context[:current_user]`
+
+Since it's a mutation method, you can also access `context` in that method.
+
+Whatever that method returns will be treated as an early return value for the mutation, so for example, you could return {% internal_link "errors as data", "/mutations/mutation_errors" %}:
+
+```ruby
+class Mutations::BaseMutation < GraphQL::Schema::RelayClassicMutation
+  field :errors, [String], null: true
+
+  def unauthorized_by_pundit(owner, value)
+    # Return errors as data:
+    { errors: ["Missing required permission: #{owner.pundit_role}, can't access #{value.inspect}"] }
+  end
+end
 ```

guides/pro/checksums/graphql-pro-1.7.10.txt

@@ -0,0 +1 @@
+9cc3900fa9b04a667146595141586592e1c7f72d4fb88d6af8e95b74d50cb8c096e5abd00d35e295a66dbdc7774b0afd311a20747e6051d786da36564282aeca