This gem allows you to authorize an access to you graphql-fields (defined by graphql-ruby).


Add this line to your application's Gemfile:

gem 'graphql_authorize'

And then execute:

$ bundle

Or install it yourself as:

$ gem install graphql_authorize


You can define a proc and pass it to authorize inside the field block:

field :posts, types[PostType] do
  authorize lambda { |_obj, _args, context|
    current_user = context[:current_user]
    current_user && current_user.admin

  resolve ->(_obj, _args, _context) { ... }

It also works for a new class-based syntax:

field :posts, PostType, null: false do
  authorize lambda { |_obj, _args, context|
    current_user = context[:current_user]
    current_user && current_user.admin

Don't forget to pass current_user to the context when you execute the query, e.g.:

Schema.execute(query, context: { current_user: current_user })


If you are using CanCanCan, you can just pass an array with two values - permission to check and a model class:

field :posts, types[PostType] do
  authorize [:read, Post]
  resolve ->(_obj, _args, _context) { ... }

In order to let GraphqlAuthorize know that it should use CanCanCan, please configure it somewhere in your app:

GraphqlAuthorize.config.auth_adapter = GraphqlAuthorize::AuthAdapters::CanCanCan

By default it will try to call can? on the module called Ability (you have it if you follow the guide). However, when you've done it in a different way, you must also configure auth_adapter_source - a proc, which will get a current context and will need to return something, which can respond to can?:

GraphqlAuthorize.configure do |config|
  config.auth_adapter = GraphqlAuthorize::AuthAdapters::CanCanCan
  config.auth_adapter_source = ->(context) { context[:current_user] }


Pundit integration is very similar with CanCanCan - you should pass an array with two values in a following way:

field :posts, types[PostType] do
  authorize [:read, Post]
  resolve ->(_obj, _args, _context) { ... }

Don't forget to configure GraphqlAuthorize to use the proper adapter:

GraphqlAuthorize.config.auth_adapter = GraphqlAuthorize::AuthAdapters::Pundit


