forked from potsda.mn/mobilizon
b5672cee7e
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
93 lines
2.8 KiB
Elixir
93 lines
2.8 KiB
Elixir
defmodule Mobilizon.GraphQL.Authorization do
|
|
@moduledoc """
|
|
Check authorizations
|
|
"""
|
|
|
|
use Rajska,
|
|
valid_roles: [:user, :moderator, :administrator],
|
|
super_role: :administrator,
|
|
default_rule: :default
|
|
|
|
alias Mobilizon.Applications.ApplicationToken
|
|
alias Mobilizon.GraphQL.Authorization.AppScope
|
|
alias Mobilizon.Users.User
|
|
import Mobilizon.Web.Gettext, only: [dgettext: 3]
|
|
|
|
@impl true
|
|
def has_user_access?(%User{}, _scope, _rule), do: true
|
|
|
|
@impl true
|
|
def has_user_access?(%ApplicationToken{scope: scope} = _current_app_token, _struct, rule)
|
|
when rule != :forbid_app_access do
|
|
AppScope.has_app_access?(scope, rule)
|
|
end
|
|
|
|
@impl true
|
|
def has_user_access?(_current_user, _scoped_struct, _rule), do: false
|
|
|
|
@impl true
|
|
def get_current_user(%{current_auth_app_token: app_token}), do: app_token
|
|
def get_current_user(%{current_user: current_user}), do: current_user
|
|
def get_current_user(_ctx), do: nil
|
|
|
|
@impl true
|
|
def role_authorized?(_user_role, :all), do: true
|
|
def role_authorized?(role, _allowed_role) when is_super_role(role), do: true
|
|
def role_authorized?(:moderator, :user), do: true
|
|
|
|
def role_authorized?(user_role, allowed_role) when is_atom(user_role) and is_atom(allowed_role),
|
|
do: user_role === allowed_role
|
|
|
|
def role_authorized?(user_role, allowed_roles)
|
|
when is_atom(user_role) and is_list(allowed_roles),
|
|
do: user_role in allowed_roles or (user_role === :moderator and :user in allowed_roles)
|
|
|
|
@impl true
|
|
def get_user_role(%ApplicationToken{user: %{role: role}}), do: role
|
|
def get_user_role(%{role: role}), do: role
|
|
def get_user_role(nil), do: nil
|
|
|
|
@impl true
|
|
def get_ip(%{ip: ip}), do: ip
|
|
|
|
@impl true
|
|
def unauthorized_message(resolution) do
|
|
case Map.get(resolution.context, :current_user) do
|
|
nil ->
|
|
"unauthenticated"
|
|
|
|
_ ->
|
|
"unauthorized"
|
|
end
|
|
end
|
|
|
|
@impl true
|
|
def unauthorized_query_scope_message(_resolution, object_type) do
|
|
dgettext("errors", "Not authorized to access this %{object_type}",
|
|
object_type: replace_underscore(object_type)
|
|
)
|
|
end
|
|
|
|
@impl true
|
|
def unauthorized_object_scope_message(_result_object, object) do
|
|
dgettext("errors", "Not authorized to access object %{object}", object: object.identifier)
|
|
end
|
|
|
|
@impl true
|
|
def unauthorized_object_message(_resolution, object) do
|
|
dgettext("errors", "Not authorized to access object %{object}", object: object.identifier)
|
|
end
|
|
|
|
@impl true
|
|
def unauthorized_field_message(_resolution, field),
|
|
do: dgettext("errors", "Not authorized to access field %{field}", field: field)
|
|
|
|
defp replace_underscore(string) when is_binary(string), do: String.replace(string, "_", " ")
|
|
|
|
defp replace_underscore(atom) when is_atom(atom) do
|
|
atom
|
|
|> Atom.to_string()
|
|
|> replace_underscore()
|
|
end
|
|
end
|