Enable authorization handling in actionMany mutations (#160)

# Description ✍️

This PR enables the feature to authorize the operation of `updateMany`
and `deleteMany` mutations of the Graphoid gem.

#### `updateMany` mutations
1. `updateManyProjects`
2. `updateManySheets`
3. `updateManyGroups`
4. `updateManyColumns`
5. `updateManyRecords`
6. `updateManyUsers`
7. `updateManyRoles`
8. `updateManyAttachments`
9. `updateManyTriggers`
10. `updateManyFilters`
11. `updateManySheetModules`

#### `deleteMany` mutations
13. `deleteManyProjects`
14. `deleteManySheets`
15. `deleteManyGroups`
16. `deleteManyColumns`
17. `deleteManyRecords`
18. `deleteManyUsers`
19. `deleteManyRoles`
20. `deleteManyAttachments`
21. `deleteManyTriggers`
22. `deleteManyFilters`
23. `deleteManySheetModules`
# Checks ☑️

- [x] Enable authorization handling in actionMany mutations

Author: Victorcorcos

lib/graphoid/mutations/update.rb

@@ -47,6 +47,7 @@ def self.build(model)
 
             begin
               objects = Graphoid::Queries::Processor.execute(model, where.to_h)
+              objects = model.resolve_filter(self, objects) if model.respond_to?(:resolve_filter)
               objects.update_all(attrs)
               objects.all.to_a
             rescue Exception => ex

spec/tester_mongo/spec/graphoid/mutations/delete_many_spec.rb

@@ -3,27 +3,53 @@
 require 'rails_helper'
 
 describe 'MutationDeleteMany', type: :request do
+  def query(value)
+    %{
+      mutation {
+        deleteManyAccounts(where: { stringField: "#{value}" }){
+          id
+          stringField
+        }
+      }
+    }
+  end
+
   before { Account.delete_all }
-  subject { Helper.resolve(self, @action, @query) }
+  subject { Helper.resolve(self, 'deleteManyAccounts', query('bob')) }
 
   let!(:a0) { Account.create!(string_field: 'bob') }
   let!(:a1) { Account.create!(string_field: 'bob') }
   let!(:a2) { Account.create!(string_field: 'oob') }
 
   it 'deletes many objects by condition' do
-    @action = 'deleteManyAccounts'
-
-    @query = %{
-      mutation {
-        deleteManyAccounts(where: { stringField: "bob" }){
-          id
-        }
-      }
-    }
-
     expect(Account.count).to eq(3)
     subject
     expect(Account.count).to eq(1)
     expect(Account.first.string_field).to eq('oob')
   end
+
+  describe 'when there are errors in the mutation execution' do
+    before do
+      Account.class_eval do
+        def self.resolve_filter(resolver, result)
+          msg = 'User has insufficient privileges for this operation'
+          raise GraphQL::ExecutionError, msg
+        end
+      end
+
+      @result = Helper.resolve(self, 'deleteManyAccounts', query('edimar'))
+    end
+
+    after do
+      Account.class_eval do
+        def self.resolve_filter(resolver, result)
+          result
+        end
+      end
+    end
+
+    it 'should block the operation' do
+      expect(response.body).to include('User has insufficient privileges for this operation')
+    end
+  end
 end

spec/tester_mongo/spec/graphoid/mutations/update_many_spec.rb

@@ -3,25 +3,54 @@
 require 'rails_helper'
 
 describe 'MutationUpdateMany', type: :request do
-  before { Account.delete_all }
-  subject { Helper.resolve(self, 'updateManyAccounts', @query) }
-
-  let!(:a0) { Account.create!(string_field: 'account0', snake_case: 'snake', camelCase: 'camel') }
-  let!(:a1) { Account.create!(string_field: 'account1', snake_case: 'snake', camelCase: 'camel') }
-  let!(:a2) { Account.create!(string_field: 'account2', snake_case: 'snaki', camelCase: 'camel') }
-
-  it 'updates many objects by condition' do
-    @query = %{
+  def query(value)
+    %{
       mutation M {
-        updateManyAccounts(where: { snakeCase: "snake" }, data: { camelCase: "updated" }){
+        updateManyAccounts(where: { snakeCase: "snake" }, data: { camelCase: "#{value}" }){
           id
           camelCase
         }
       }
     }
+  end
+
+  before { Account.delete_all }
+  subject { Helper.resolve(self, 'updateManyAccounts', query('updated')) }
 
+  let!(:a0) { Account.create!(string_field: 'account0', snake_case: 'snake', camelCase: 'camel') }
+  let!(:a1) { Account.create!(string_field: 'account1', snake_case: 'snake', camelCase: 'camel') }
+  let!(:a2) { Account.create!(string_field: 'account2', snake_case: 'snaki', camelCase: 'camel') }
+
+  it 'updates many objects by condition' do
     expect(subject[0]['camelCase']).to eq('updated')
     expect(subject[1]['camelCase']).to eq('updated')
+    expect(a0.reload.camelCase).to eq('updated')
+    expect(a1.reload.camelCase).to eq('updated')
     expect(a2.reload.camelCase).to eq('camel')
   end
+
+  describe 'when there are errors in the mutation execution' do
+    before do
+      Account.class_eval do
+        def self.resolve_filter(resolver, result)
+          msg = 'User has insufficient privileges for this operation'
+          raise GraphQL::ExecutionError, msg
+        end
+      end
+
+      @result = Helper.resolve(self, 'updateManyAccounts', query('edimar'))
+    end
+
+    after do
+      Account.class_eval do
+        def self.resolve_filter(resolver, result)
+          result
+        end
+      end
+    end
+
+    it 'should block the operation' do
+      expect(response.body).to include('User has insufficient privileges for this operation')
+    end
+  end
 end