Relay Connection authorization integration

[swalkinshaw]

Visibility and accessibility both have integration with Relay connections here:

graphql-ruby/lib/graphql/schema.rb

Lines 971 to 973 in be5439d

	if member.respond_to?(:relay_node_type) && (t = member.relay_node_type)
	member = t
	end

However this doesn't apply to authorization since authorized? is called from field instrumentation and not via call_on_type_class on the schema.

Is this something that should be taken care of automatically? I'd also assume relay_node_type should be the source of authorized? for the connection and edge.

[rmosolgo]

I wasn't really sure how to make it work. For example, let's say you have a connection which wraps a AR::Relation of Items. Should it go to Item.authorized? ? That means that .authorized? should be prepared for both an Item and an AR::Relation.

A related feature was added for something like this: #1723

[swalkinshaw]

We've always delegated to node type with implementations like this:

# Edge
def authorized?(edge, ctx)
  node_type.authorized?(edge.node, ctx)
end

# Connection
def authorized?(connection, ctx)
  edge_authorizations = connection.edges.map { |edge| edge_type.authorized?(edge, ctx) }
  Promise.all(edge_authorizations).then(&:all?)
end

[rmosolgo]

This is kinda done here:

graphql-ruby/lib/graphql/types/relay/base_connection.rb

Lines 79 to 89 in 90474a9

	def authorized?(obj, ctx)
	true # Let nodes be filtered out
	end
	def accessible?(ctx)
	node_type.accessible?(ctx)
	end
	def visible?(ctx)
	node_type.visible?(ctx)
	end

graphql-ruby/lib/graphql/types/relay/base_edge.rb

Lines 41 to 51 in 90474a9

	def authorized?(obj, ctx)
	true
	end
	def accessible?(ctx)
	node_type.accessible?(ctx)
	end
	def visible?(ctx)
	node_type.visible?(ctx)
	end

It might be improved by ahead-of-time filtering of nodes, as shown above, but right now that filtering is delayed until the node itself is queried.