rmosolgo · rmosolgo · Dec 1, 2023 · Dec 1, 2023
diff --git a/lib/graphql/schema/member/scoped.rb b/lib/graphql/schema/member/scoped.rb
@@ -21,7 +21,7 @@ def reauthorize_scoped_objects(new_value = nil)
             if @reauthorize_scoped_objects != nil
               @reauthorize_scoped_objects
             else
-              find_inherited_value(:reauthorize_scoped_objects, nil)
+              find_inherited_value(:reauthorize_scoped_objects, true)
             end
           else
             @reauthorize_scoped_objects = new_value

diff --git a/lib/graphql/types/relay/connection_behaviors.rb b/lib/graphql/types/relay/connection_behaviors.rb
@@ -87,6 +87,19 @@ def scope_items(items, context)
             node_type.scope_items(items, context)
           end
 
+          # The connection will skip auth on its nodes if the node_type is configured for that
+          def reauthorize_scoped_objects(new_value = nil)
+            if new_value.nil?
+              if @reauthorize_scoped_objects != nil
+                @reauthorize_scoped_objects
+              else
+                node_type.reauthorize_scoped_objects
+              end
+            else
+              @reauthorize_scoped_objects = new_value
+            end
+          end
+
           # Add the shortcut `nodes` field to this connection and its subclasses
           def nodes_field(node_nullable: self.node_nullable, field_options: nil)
             define_nodes_field(node_nullable, field_options: field_options)

diff --git a/spec/graphql/schema/member/scoped_spec.rb b/spec/graphql/schema/member/scoped_spec.rb
@@ -77,6 +77,8 @@ def self.resolve_type(item, ctx)
           Item
         end
       end
+
+      reauthorize_scoped_objects(false)
     end
 
     class Query < BaseObject
@@ -294,4 +296,89 @@ def get_item_names_with_context(ctx, field_name: "items")
       assert field.resolve(OpenStruct.new(object: { items: [] }), {}, ctx)
     end
   end
+
+
+  describe "skipping authorization on scoped lists" do
+    class SkipAuthSchema < GraphQL::Schema
+      class Book < GraphQL::Schema::Object
+        def self.authorized?(obj, ctx)
+          ctx[:auth_log] << [:authorized?, obj[:title]]
+          true
+        end
+
+        def self.scope_items(list, ctx)
+          ctx[:auth_log] << [:scope_items, list.map { |b| b[:title]}]
+          list.dup # Skipping authorized objects requires a new object to be returned
+        end
+
+        field :title, String
+      end
+
+      class SkipAuthorizationBook < Book
+        reauthorize_scoped_objects(false)
+      end
+
+      class ReauthorizedBook < Book
+        reauthorize_scoped_objects(true)
+      end
+
+      class Query < GraphQL::Schema::Object
+        field :book, Book
+
+        def book
+          { title: "Nonsense Omnibus"}
+        end
+
+        field :books, [Book]
+
+        def books
+          [{ title: "Jayber Crow" }, { title: "Hannah Coulter" }]
+        end
+
+        field :skip_authorization_books, [SkipAuthorizationBook], resolver_method: :books
+
+        field :reauthorized_books, [ReauthorizedBook], resolver_method: :books
+
+        field :skip_authorization_books_connection, SkipAuthorizationBook.connection_type, resolver_method: :books
+      end
+
+      query(Query)
+    end
+
+    it "runs both authorizations by default" do
+      log = []
+      SkipAuthSchema.execute("{ book { title } books { title } }", context: { auth_log: log })
+      expected_log = [
+        [:authorized?, "Nonsense Omnibus"],
+        [:scope_items, ["Jayber Crow", "Hannah Coulter"]],
+        [:authorized?, "Jayber Crow"],
+        [:authorized?, "Hannah Coulter"],
+      ]
+      assert_equal expected_log, log
+    end
+
+    it "skips self.authorized? when configured" do
+      log = []
+      SkipAuthSchema.execute("{ skipAuthorizationBooks { title } }", context: { auth_log: log })
+      assert_equal [[:scope_items, ["Jayber Crow", "Hannah Coulter"]]], log
+    end
+
+    it "can be re-enabled in subclasses" do
+      log = []
+      SkipAuthSchema.execute("{ reauthorizedBooks { title } }", context: { auth_log: log })
+      expected_log = [
+        [:scope_items, ["Jayber Crow", "Hannah Coulter"]],
+        [:authorized?, "Jayber Crow"],
+        [:authorized?, "Hannah Coulter"],
+      ]
+
+      assert_equal expected_log, log
+    end
+
+    it "skips auth in connections" do
+      log = []
+      SkipAuthSchema.execute("{ skipAuthorizationBooksConnection(first: 10) { nodes { title } } }", context: { auth_log: log })
+      assert_equal [[:scope_items, ["Jayber Crow", "Hannah Coulter"]]], log
+    end
+  end
 end