Removed passing of token in policies, updated member model can_* mode…

…ls to use Current.tokenfor uploader authorization, removed setting of context token from base mutation, resolver, and object
phac-nml · Jun 5, 2024 · 56f6457 · 56f6457
1 parent f34461a
commit 56f6457
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 32 deletions.
diff --git a/app/graphql/mutations/base_mutation.rb b/app/graphql/mutations/base_mutation.rb
@@ -9,11 +9,5 @@ class BaseMutation < GraphQL::Schema::RelayClassicMutation
     field_class Types::BaseField
     input_object_class Types::BaseInputObject
     object_class Types::BaseObject
-
-    authorize :token, through: :token
-
-    def token
-      context[:token]
-    end
   end
 end
diff --git a/app/graphql/resolvers/base_resolver.rb b/app/graphql/resolvers/base_resolver.rb
@@ -6,11 +6,5 @@ class BaseResolver < GraphQL::Schema::Resolver
     include ActionPolicy::GraphQL::Behaviour
 
     argument_class ::Types::BaseArgument
-
-    authorize :token, through: :token
-
-    def token
-      context[:token]
-    end
   end
 end
diff --git a/app/graphql/types/base_object.rb b/app/graphql/types/base_object.rb
@@ -9,12 +9,6 @@ class BaseObject < GraphQL::Schema::Object
     connection_type_class(Types::BaseConnection)
     field_class Types::BaseField
 
-    authorize :token, through: :token
-
-    def token
-      context[:token]
-    end
-
     # All graphql fields exposing an id, should expose a global id.
     def id
       IridaSchema.id_from_object(object)

diff --git a/app/models/member.rb b/app/models/member.rb
@@ -31,8 +31,7 @@ class Member < ApplicationRecord # rubocop:disable Metrics/ClassLength
 
   class << self
     DEFAULT_CAN_OPTIONS = {
-      include_group_links: true,
-      token: nil
+      include_group_links: true
     }.freeze
 
     def access_levels(member)
@@ -73,7 +72,7 @@ def can_view?(user, object_namespace, **options)
       options = DEFAULT_CAN_OPTIONS.merge(options)
       effective_access_level = effective_access_level(object_namespace, user, options[:include_group_links])
       if effective_access_level == Member::AccessLevel::UPLOADER &&
-         (options[:token].nil? || (!options[:token].nil? && !options[:token].active?))
+         !Current.token&.active?
         return false
       end
 
@@ -152,22 +151,20 @@ def can_create_export?(user, object_namespace)
       effective_access_level(object_namespace, user) >= Member::AccessLevel::ANALYST
     end
 
-    def can_create_sample?(user, object_namespace, **options)
-      options = DEFAULT_CAN_OPTIONS.merge(options)
+    def can_create_sample?(user, object_namespace)
       effective_access_level = effective_access_level(object_namespace, user)
 
-      return true if effective_access_level == Member::AccessLevel::UPLOADER && options[:token]&.active?
+      return true if (effective_access_level == Member::AccessLevel::UPLOADER) && Current.token&.active?
 
       Member::AccessLevel.manageable.include?(
         effective_access_level
       )
     end
 
-    def can_modify_sample?(user, object_namespace, **options)
-      options = DEFAULT_CAN_OPTIONS.merge(options)
+    def can_modify_sample?(user, object_namespace)
       effective_access_level = effective_access_level(object_namespace, user)
 
-      return true if effective_access_level == Member::AccessLevel::UPLOADER && options[:token]&.active?
+      return true if (effective_access_level == Member::AccessLevel::UPLOADER) && Current.token&.active?
 
       Member::AccessLevel.manageable.include?(
         effective_access_level

diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
@@ -45,7 +45,7 @@ def new?
   end
 
   def read?
-    return true if Member.can_view?(user, record, token:) == true
+    return true if Member.can_view?(user, record) == true
 
     details[:name] = record.name
     false

diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
@@ -44,7 +44,7 @@ def new?
 
   def read?
     return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user
-    return true if Member.can_view?(user, record.namespace, token:) == true
+    return true if Member.can_view?(user, record.namespace) == true
 
     details[:name] = record.name
     false
@@ -76,7 +76,7 @@ def sample_listing?
 
   def create_sample?
     return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user
-    return true if Member.can_create_sample?(user, record.namespace, token:) == true
+    return true if Member.can_create_sample?(user, record.namespace) == true
 
     details[:name] = record.name
     false
@@ -92,15 +92,15 @@ def destroy_sample?
 
   def read_sample?
     return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user
-    return true if Member.can_view?(user, record.namespace, token:) == true
+    return true if Member.can_view?(user, record.namespace) == true
 
     details[:name] = record.name
     false
   end
 
   def update_sample?
     return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user
-    return true if Member.can_modify_sample?(user, record.namespace, token:) == true
+    return true if Member.can_modify_sample?(user, record.namespace) == true
 
     details[:name] = record.name
     false