Introduce authorizations with Rajska

Signed-off-by: Thomas Citharel <tcit@tcit.fr>

lib/graphql/schema/discussions/comment.ex

@@ -11,6 +11,7 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.CommentType do
 
   @desc "A comment"
   object :comment do
+    meta(:authorize, :all)
     interfaces([:action_log_object, :activity_object])
     field(:id, :id, description: "Internal ID for this comment")
     field(:uuid, :uuid, description: "An UUID for this comment")
@@ -73,6 +74,7 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.CommentType do
 
   @desc "A paginated list of comments"
   object :paginated_comment_list do
+    meta(:authorize, :all)
     field(:elements, list_of(:comment), description: "A list of comments")
     field(:total, :integer, description: "The total number of comments in the list")
   end
@@ -81,6 +83,7 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.CommentType do
     @desc "Get replies for thread"
     field :thread, type: list_of(:comment) do
       arg(:id, non_null(:id), description: "The comment ID")
+      middleware(Rajska.QueryAuthorization, permit: :all)
       resolve(&Comment.get_thread/3)
     end
   end
@@ -95,6 +98,13 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.CommentType do
 
       arg(:is_announcement, :boolean, description: "Should this comment be announced to everyone?")
 
+      middleware(Rajska.QueryAuthorization,
+        permit: :user,
+        scope: Mobilizon.Discussions.Comment,
+        rule: :"write:comment:create",
+        args: %{event_id: :event_id}
+      )
+
       resolve(&Comment.create_comment/3)
     end
 
@@ -106,6 +116,13 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.CommentType do
 
       arg(:is_announcement, :boolean, description: "Should this comment be announced to everyone?")
 
+      middleware(Rajska.QueryAuthorization,
+        permit: :user,
+        scope: Mobilizon.Discussions.Comment,
+        rule: :"write:comment:update",
+        args: %{id: :comment_id}
+      )
+
       resolve(&Comment.update_comment/3)
     end
 
@@ -113,6 +130,13 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.CommentType do
     field :delete_comment, type: :comment do
       arg(:comment_id, non_null(:id), description: "The comment ID")
 
+      middleware(Rajska.QueryAuthorization,
+        permit: [:user, :moderator],
+        scope: Mobilizon.Discussions.Comment,
+        rule: :"write:comment:delete",
+        args: %{id: :comment_id}
+      )
+
       resolve(&Comment.delete_comment/3)
     end
   end

lib/graphql/schema/discussions/discussion.ex

@@ -11,6 +11,7 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.DiscussionType do
 
   @desc "A discussion"
   object :discussion do
+    meta(:authorize, :user)
     interfaces([:activity_object])
     field(:id, :id, description: "Internal ID for this discussion")
     field(:title, :string, description: "The title for this discussion")
@@ -36,6 +37,7 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.DiscussionType do
 
   @desc "A paginated list of discussions"
   object :paginated_discussion_list do
+    meta(:authorize, :user)
     field(:elements, list_of(:discussion), description: "A list of discussion")
     field(:total, :integer, description: "The total number of discussions in the list")
   end
@@ -45,6 +47,13 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.DiscussionType do
     field :discussion, type: :discussion do
       arg(:id, :id, description: "The discussion's ID")
       arg(:slug, :string, description: "The discussion's slug")
+
+      middleware(Rajska.QueryAuthorization,
+        permit: :user,
+        scope: Mobilizon.Discussions.Discussion,
+        rule: :"read:group:discussions"
+      )
+
       resolve(&Discussion.get_discussion/3)
     end
   end
@@ -56,6 +65,13 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.DiscussionType do
       arg(:text, non_null(:string), description: "The discussion's first comment body")
       arg(:actor_id, non_null(:id), description: "The discussion's group ID")
 
+      middleware(Rajska.QueryAuthorization,
+        permit: :user,
+        scope: Mobilizon.Discussions.Discussion,
+        rule: :"write:group:discussion:create",
+        args: %{actor_id: :actor_id}
+      )
+
       resolve(&Discussion.create_discussion/3)
     end
 
@@ -63,6 +79,14 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.DiscussionType do
     field :reply_to_discussion, type: :discussion do
       arg(:discussion_id, non_null(:id), description: "The discussion's ID")
       arg(:text, non_null(:string), description: "The discussion's reply body")
+
+      middleware(Rajska.QueryAuthorization,
+        permit: :user,
+        scope: Mobilizon.Discussions.Discussion,
+        rule: :"write:group:discussion:update",
+        args: %{id: :discussion_id}
+      )
+
       resolve(&Discussion.reply_to_discussion/3)
     end
 
@@ -70,6 +94,14 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.DiscussionType do
     field :update_discussion, type: :discussion do
       arg(:title, non_null(:string), description: "The updated discussion's title")
       arg(:discussion_id, non_null(:id), description: "The discussion's ID")
+
+      middleware(Rajska.QueryAuthorization,
+        permit: :user,
+        scope: Mobilizon.Discussions.Discussion,
+        rule: :"write:group:discussion:update",
+        args: %{id: :discussion_id}
+      )
+
       resolve(&Discussion.update_discussion/3)
     end
 
@@ -77,6 +109,13 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.DiscussionType do
     field :delete_discussion, type: :discussion do
       arg(:discussion_id, non_null(:id), description: "The discussion's ID")
 
+      middleware(Rajska.QueryAuthorization,
+        permit: :user,
+        scope: Mobilizon.Discussions.Discussion,
+        rule: :"write:group:discussion:delete",
+        args: %{id: :discussion_id}
+      )
+
       resolve(&Discussion.delete_discussion/3)
     end
   end