Absinthe middleware to perform query scoping.

Usage

Create your Authorization module and add it and QueryAuthorization to your Absinthe.Schema. Since Scope Authorization middleware must be used with Query Authorization, it is automatically called when adding the former. Then set the scoped module and argument field:

mutation do
  field :create_user, :user do
    arg :params, non_null(:user_params)

    middleware Rajska.QueryAuthorization, permit: :all
    resolve &AccountsResolver.create_user/2
  end

  field :update_user, :user do
    arg :id, non_null(:integer)
    arg :params, non_null(:user_params)

    middleware Rajska.QueryAuthorization, [permit: :user, scoped: User] # same as {User, :id}
    resolve &AccountsResolver.update_user/2
  end

  field :delete_user, :user do
    arg :id, non_null(:integer)

    middleware Rajska.QueryAuthorization, permit: :admin
    resolve &AccountsResolver.delete_user/2
  end
end

In the above example, :all and :admin permissions don't require the :scoped keyword, as defined in the Rajska.Authorization.not_scoped_roles/0 function, but you can modify this behavior by overriding it.

Valid values for the :scoped keyword are:

• false: disables scoping
• User: a module that will be passed to Rajska.Authorization.has_user_access?/3. It must implement a Rajska.Authorization behaviour and a __schema__(:source) function (used to check if the module is valid in Rajska.Schema.validate_query_auth_config!/2)
• {User, :id}: where :id is the query argument that will also be passed to Rajska.Authorization.has_user_access?/3
• {User, [:params, :id]}: where id is the query argument as above, but it's not defined directly as an arg for the query. Instead, it's nested inside the params argument.
• {User, :user_group_id, :optional}: where user_group_id (it could also be a nested argument) is an optional argument for the query. If it's present, the scoping will be applied, otherwise no scoping is applied.