make sure generic actions are authorized

2024-09-17 03:43:14 +12:00 · 2023-11-24 10:26:32 +01:00 · 2023-11-24 10:26:32 +01:00 · ef711a7ba4
commit ef711a7ba4
parent c1845b2225
3 changed files with 19 additions and 2 deletions
--- a/lib/graphql/resolver.ex
+++ b/lib/graphql/resolver.ex
@ -41,11 +41,17 @@ defmodule AshGraphql.Graphql.Resolver do
              :gql_query,
              query_name,
              metadata do
+          opts = [
+            actor: Map.get(context, :actor),
+            authorize?: AshGraphql.Api.Info.authorize?(api),
+            tenant: Map.get(context, :tenant)
+          ]
+
          result =
            %Ash.ActionInput{api: api, resource: resource}
            |> Ash.ActionInput.set_context(get_context(context))
            |> Ash.ActionInput.for_action(action.name, arguments)
-            |> api.run_action()
+            |> api.run_action(opts)
            |> case do
              {:ok, result} ->
                load_opts =
--- a/test/generic_actions_test.exs
+++ b/test/generic_actions_test.exs
@ -16,7 +16,7 @@ defmodule AshGraphql.GenericActionsTest do
        postCount
      }
      """
-      |> Absinthe.run(AshGraphql.Test.Schema)
+      |> Absinthe.run(AshGraphql.Test.Schema, context: %{actor: %{id: "an-actor"}})

    assert {:ok, result} = resp

--- a/test/support/resources/post.ex
+++ b/test/support/resources/post.ex
@ -94,10 +94,21 @@ defmodule AshGraphql.Test.Post do

  use Ash.Resource,
    data_layer: Ash.DataLayer.Ets,
+    authorizers: [Ash.Policy.Authorizer],
    extensions: [AshGraphql.Resource]

  require Ash.Query

+  policies do
+    policy always() do
+      authorize_if(always())
+    end
+
+    policy action(:count) do
+      authorize_if(actor_present())
+    end
+  end
+
  graphql do
    type :post