feat(laravel): graphql policies

Author: soyuka

src/Laravel/ApiPlatformProvider.php

@@ -927,6 +927,10 @@ public function register(): void
             );
         });
 
+        if (interface_exists(FieldsBuilderEnumInterface::class)) {
+            $this->registerGraphQl($this->app);
+        }
+
         $this->app->singleton(JsonApiObjectNormalizer::class, function (Application $app) {
             return new JsonApiObjectNormalizer(
                 $app->make(ObjectNormalizer::class),
@@ -936,51 +940,6 @@ public function register(): void
             );
         });
 
-        if ($this->app['config']->get('api-platform.graphql.enabled')) {
-            $this->app->singleton(GraphQlItemNormalizer::class, function (Application $app) {
-                return new GraphQlItemNormalizer(
-                    $app->make(PropertyNameCollectionFactoryInterface::class),
-                    $app->make(PropertyMetadataFactoryInterface::class),
-                    $app->make(IriConverterInterface::class),
-                    $app->make(IdentifiersExtractorInterface::class),
-                    $app->make(ResourceClassResolverInterface::class),
-                    $app->make(PropertyAccessorInterface::class),
-                    $app->make(NameConverterInterface::class),
-                    $app->make(SerializerClassMetadataFactory::class),
-                    null,
-                    $app->make(ResourceMetadataCollectionFactoryInterface::class),
-                    $app->make(ResourceAccessCheckerInterface::class)
-                );
-            });
-
-            $this->app->singleton(GraphQlObjectNormalizer::class, function (Application $app) {
-                return new GraphQlObjectNormalizer(
-                    $app->make(ObjectNormalizer::class),
-                    $app->make(IriConverterInterface::class),
-                    $app->make(IdentifiersExtractorInterface::class),
-                );
-            });
-        }
-
-        $this->app->singleton(GraphQlErrorNormalizer::class, function () {
-            return new GraphQlErrorNormalizer();
-        });
-
-        $this->app->singleton(GraphQlValidationExceptionNormalizer::class, function (Application $app) {
-            /** @var ConfigRepository */
-            $config = $app['config'];
-
-            return new GraphQlValidationExceptionNormalizer($config->get('api-platform.exception_to_status'));
-        });
-
-        $this->app->singleton(GraphQlHttpExceptionNormalizer::class, function () {
-            return new GraphQlHttpExceptionNormalizer();
-        });
-
-        $this->app->singleton(GraphQlRuntimeExceptionNormalizer::class, function () {
-            return new GraphQlHttpExceptionNormalizer();
-        });
-
         $this->app->bind(SerializerInterface::class, Serializer::class);
         $this->app->bind(NormalizerInterface::class, Serializer::class);
         $this->app->singleton(Serializer::class, function (Application $app) {
@@ -1009,7 +968,7 @@ public function register(): void
             $list->insert($app->make(JsonApiItemNormalizer::class), -890);
             $list->insert($app->make(JsonApiObjectNormalizer::class), -995);
 
-            if ($config->get('api-platform.graphql.enabled')) {
+            if (interface_exists(FieldsBuilderEnumInterface::class)) {
                 $list->insert($app->make(GraphQlItemNormalizer::class), -890);
                 $list->insert($app->make(GraphQlObjectNormalizer::class), -995);
                 $list->insert($app->make(GraphQlErrorNormalizer::class), -790);
@@ -1033,7 +992,8 @@ public function register(): void
                     new JsonEncoder('jsonapi'),
                     new JsonEncoder('jsonhal'),
                     new CsvEncoder(),
-                ]);
+                ]
+            );
         });
 
         $this->app->singleton(JsonLdItemNormalizer::class, function (Application $app) {
@@ -1078,17 +1038,56 @@ function (Application $app) {
             return new Inflector();
         });
 
-        if ($this->app['config']->get('api-platform.graphql.enabled')) {
-            $this->registerGraphQl($this->app);
-        }
-
         if ($this->app->runningInConsole()) {
             $this->commands([Console\InstallCommand::class]);
         }
     }
 
     private function registerGraphQl(Application $app): void
     {
+        $this->app->singleton(GraphQlItemNormalizer::class, function (Application $app) {
+            return new GraphQlItemNormalizer(
+                $app->make(PropertyNameCollectionFactoryInterface::class),
+                $app->make(PropertyMetadataFactoryInterface::class),
+                $app->make(IriConverterInterface::class),
+                $app->make(IdentifiersExtractorInterface::class),
+                $app->make(ResourceClassResolverInterface::class),
+                $app->make(PropertyAccessorInterface::class),
+                $app->make(NameConverterInterface::class),
+                $app->make(SerializerClassMetadataFactory::class),
+                null,
+                $app->make(ResourceMetadataCollectionFactoryInterface::class),
+                $app->make(ResourceAccessCheckerInterface::class)
+            );
+        });
+
+        $this->app->singleton(GraphQlObjectNormalizer::class, function (Application $app) {
+            return new GraphQlObjectNormalizer(
+                $app->make(ObjectNormalizer::class),
+                $app->make(IriConverterInterface::class),
+                $app->make(IdentifiersExtractorInterface::class),
+            );
+        });
+
+        $this->app->singleton(GraphQlErrorNormalizer::class, function () {
+            return new GraphQlErrorNormalizer();
+        });
+
+        $this->app->singleton(GraphQlValidationExceptionNormalizer::class, function (Application $app) {
+            /** @var ConfigRepository */
+            $config = $app['config'];
+
+            return new GraphQlValidationExceptionNormalizer($config->get('api-platform.exception_to_status'));
+        });
+
+        $this->app->singleton(GraphQlHttpExceptionNormalizer::class, function () {
+            return new GraphQlHttpExceptionNormalizer();
+        });
+
+        $this->app->singleton(GraphQlRuntimeExceptionNormalizer::class, function () {
+            return new GraphQlHttpExceptionNormalizer();
+        });
+
         $app->singleton('api_platform.graphql.type_locator', function (Application $app) {
             $tagged = iterator_to_array($app->tagged('api_platform.graphql.type'));
 
@@ -1130,44 +1129,78 @@ private function registerGraphQl(Application $app): void
             return new GraphQlSerializerContextBuilder($app->make(NameConverterInterface::class));
         });
 
-        $app->singleton('api_platform.graphql.state_provider', function (Application $app) {
+        $app->singleton(GraphQlReadProvider::class, function (Application $app) {
             /** @var ConfigRepository */
             $config = $app['config'];
-            $tagged = iterator_to_array($app->tagged(ParameterProviderInterface::class));
-            $resolvers = iterator_to_array($app->tagged('api_platform.graphql.resolver'));
 
             return new GraphQlReadProvider(
-                new GraphQlDenormalizeProvider(
-                    new ResolverProvider(
-                        new ParameterProvider(
-                            $app->make(CallableProvider::class),
-                            new ServiceLocator($tagged)
-                        ),
-                        new ServiceLocator($resolvers),
-                    ),
-                    $app->make(SerializerInterface::class),
-                    $app->make(GraphQlSerializerContextBuilder::class)
-                ),
+                $this->app->make(CallableProvider::class),
                 $app->make(IriConverterInterface::class),
                 $app->make(GraphQlSerializerContextBuilder::class),
                 $config->get('api-platform.graphql.nesting_separator') ?? '__'
             );
         });
+        $app->alias(GraphQlReadProvider::class, 'api_platform.graphql.state_provider.read');
+
+        $app->singleton(ResolverProvider::class, function (Application $app) {
+            $resolvers = iterator_to_array($app->tagged('api_platform.graphql.resolver'));
+
+            return new ResolverProvider(
+                $app->make(GraphQlReadProvider::class),
+                new ServiceLocator($resolvers),
+            );
+        });
+
+        $app->alias(ResolverProvider::class, 'api_platform.graphql.state_provider.resolver');
+
+        $app->singleton(GraphQlDenormalizeProvider::class, function (Application $app) {
+            return new GraphQlDenormalizeProvider(
+                $this->app->make(ResolverProvider::class),
+                $app->make(SerializerInterface::class),
+                $app->make(GraphQlSerializerContextBuilder::class)
+            );
+        });
+
+        $app->alias(GraphQlDenormalizeProvider::class, 'api_platform.graphql.state_provider.denormalize');
+
+        $app->singleton('api_platform.graphql.state_provider.parameter', function (Application $app) {
+            $tagged = iterator_to_array($app->tagged(ParameterProviderInterface::class));
+            $tagged['api_platform.serializer.filter_parameter_provider'] = $app->make(SerializerFilterParameterProvider::class);
+
+            return new ParameterProvider(
+                new ParameterValidatorProvider(
+                    new SecurityParameterProvider(
+                        $app->make(GraphQlDenormalizeProvider::class),
+                        $app->make(ResourceAccessCheckerInterface::class)
+                    ),
+                ),
+                new ServiceLocator($tagged)
+            );
+        });
+
+        $app->singleton('api_platform.graphql.state_provider.access_checker', function (Application $app) {
+            return new AccessCheckerProvider($app->make('api_platform.graphql.state_provider.parameter'), $app->make(ResourceAccessCheckerInterface::class));
+        });
+
+        $app->singleton(NormalizeProcessor::class, function (Application $app) {
+            return new NormalizeProcessor(
+                $app->make(SerializerInterface::class),
+                $app->make(GraphQlSerializerContextBuilder::class),
+                $app->make(Pagination::class)
+            );
+        });
+        $app->alias(NormalizeProcessor::class, 'api_platform.graphql.state_processor.normalize');
 
         $app->singleton('api_platform.graphql.state_processor', function (Application $app) {
             return new WriteProcessor(
-                new NormalizeProcessor(
-                    $app->make(SerializerInterface::class),
-                    $app->make(GraphQlSerializerContextBuilder::class),
-                    $app->make(Pagination::class)
-                ),
+                $app->make('api_platform.graphql.state_processor.normalize'),
                 $app->make(CallableProcessor::class),
             );
         });
 
         $app->singleton(ResolverFactoryInterface::class, function (Application $app) {
             return new ResolverFactory(
-                $app->make('api_platform.graphql.state_provider'),
+                $app->make('api_platform.graphql.state_provider.access_checker'),
                 $app->make('api_platform.graphql.state_processor')
             );
         });
@@ -1227,7 +1260,8 @@ private function registerGraphQl(Application $app): void
                 $app->make(SerializerInterface::class),
                 $app->make(ErrorHandlerInterface::class),
                 debug: $config->get('app.debug'),
-                negotiator: $app->make(Negotiator::class)
+                negotiator: $app->make(Negotiator::class),
+                formats: $config->get('api-platform.formats')
             );
         });
     }

src/Laravel/Eloquent/Metadata/Factory/Resource/EloquentResourceCollectionMetadataFactory.php

@@ -22,6 +22,11 @@
 use ApiPlatform\Metadata\DeleteOperationInterface;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\GraphQl\DeleteMutation;
+use ApiPlatform\Metadata\GraphQl\Mutation;
+use ApiPlatform\Metadata\GraphQl\Query;
+use ApiPlatform\Metadata\GraphQl\QueryCollection;
+use ApiPlatform\Metadata\GraphQl\Subscription;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\Metadata\Put;
@@ -39,6 +44,12 @@ final class EloquentResourceCollectionMetadataFactory implements ResourceMetadat
         GetCollection::class => 'viewAny',
         Delete::class => 'delete',
         Patch::class => 'update',
+
+        Query::class => 'view',
+        QueryCollection::class => 'viewAny',
+        Mutation::class => 'update',
+        DeleteMutation::class => 'delete',
+        Subscription::class => 'viewAny',
     ];
 
     public function __construct(
@@ -94,6 +105,12 @@ public function create(string $resourceClass): ResourceMetadataCollection
             $graphQlOperations = $resourceMetadata->getGraphQlOperations();
 
             foreach ($graphQlOperations ?? [] as $operationName => $graphQlOperation) {
+                if (!$graphQlOperation->getPolicy() && ($policy = Gate::getPolicyFor($model))) {
+                    if (($policyMethod = self::POLICY_METHODS[$graphQlOperation::class] ?? null) && method_exists($policy, $policyMethod)) {
+                        $graphQlOperation = $graphQlOperation->withPolicy($policyMethod);
+                    }
+                }
+
                 if (!$graphQlOperation->getProvider()) {
                     $graphQlOperation = $graphQlOperation->withProvider($graphQlOperation instanceof CollectionOperationInterface ? CollectionProvider::class : ItemProvider::class);
                 }

src/Laravel/GraphQl/Controller/EntrypointController.php

@@ -32,6 +32,9 @@ final class EntrypointController
     use ContentNegotiationTrait;
     private int $debug;
 
+    /**
+     * @param array<string, string[]> $formats
+     */
     public function __construct(
         private readonly SchemaBuilderInterface $schemaBuilder,
         private readonly ExecutorInterface $executor,
@@ -40,6 +43,7 @@ public function __construct(
         private readonly ErrorHandlerInterface $errorHandler,
         bool $debug = false,
         ?Negotiator $negotiator = null,
+        private readonly array $formats = [],
     ) {
         $this->debug = $debug ? DebugFlag::INCLUDE_DEBUG_MESSAGE | DebugFlag::INCLUDE_TRACE : DebugFlag::NONE;
         $this->negotiator = $negotiator ?? new Negotiator();
@@ -48,14 +52,23 @@ public function __construct(
     public function __invoke(Request $request): Response
     {
         $formats = ['json' => ['application/json'], 'html' => ['text/html']];
+
+        foreach ($this->formats as $k => $f) {
+            if (!isset($formats[$k])) {
+                $formats[$k] = $f;
+            }
+        }
+
+        $this->addRequestFormats($request, $formats);
         $format = $this->getRequestFormat($request, $formats, false);
+        $request->setRequestFormat($format);
 
         try {
             if ($request->isMethod('GET') && 'html' === $format) {
                 return ($this->graphiQlAction)();
             }
 
-            [$query, $operationName, $variables] = $this->parseRequest($request);
+            [$query, $operationName, $variables] = $this->parseRequest($request, $format);
             if (null === $query) {
                 throw new BadRequestHttpException('GraphQL query is not valid.');
             }
@@ -78,7 +91,7 @@ public function __invoke(Request $request): Response
      *
      * @return array{0: array<string, mixed>|null, 1: string, 2: array<string, mixed>}
      */
-    private function parseRequest(Request $request): array
+    private function parseRequest(Request $request, string $format): array
     {
         $queryParameters = $request->query->all();
         $query = $queryParameters['query'] ?? null;
@@ -91,16 +104,15 @@ private function parseRequest(Request $request): array
             return [$query, $operationName, $variables];
         }
 
-        $contentType = method_exists(Request::class, 'getContentTypeFormat') ? $request->getContentTypeFormat() : $request->getContentType();
-        if ('json' === $contentType) {
+        if ('json' === $format) {
             return $this->parseData($query, $operationName, $variables, $request->getContent());
         }
 
-        if ('graphql' === $contentType) {
+        if ('graphql' === $format) {
             $query = $request->getContent();
         }
 
-        if (\in_array($contentType, ['multipart', 'form'], true)) {
+        if ('multipart' === $format) {
             return $this->parseMultipartRequest($query, $operationName, $variables, $request->request->all(), $request->files->all());
         }
 

src/Laravel/State/AccessCheckerProvider.php

@@ -13,10 +13,12 @@
 
 namespace ApiPlatform\Laravel\State;
 
+use ApiPlatform\Metadata\HttpOperation;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\Metadata\ResourceAccessCheckerInterface;
 use ApiPlatform\State\ProviderInterface;
 use Illuminate\Auth\Access\AuthorizationException;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 /**
  * Allows access based on the ApiPlatform\Symfony\Security\ResourceAccessCheckerInterface.
@@ -54,7 +56,7 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
         ];
 
         if (!$this->resourceAccessChecker->isGranted($operation->getClass(), $policy, $resourceAccessCheckerContext)) {
-            throw new AuthorizationException($message ?? 'Access Denied.');
+            throw $operation instanceof HttpOperation ? new AuthorizationException($message ?? 'Access Denied.') : new AccessDeniedHttpException($message ?? 'Access Denied.');
         }
 
         return $body;