Add authorizations to root queries

app/graphql/types/base_object.rb

@@ -1,4 +1,25 @@
 module Types
   class BaseObject < GraphQL::Schema::Object
+    def self.authorized_demarche?(demarche, context)
+      # We are caching authorization logic because it is called for each node
+      # of the requested graph and can be expensive. Context is reset per request so it is safe.
+      context[:authorized] ||= {}
+      if context[:authorized][demarche.id]
+        return true
+      end
+
+      administrateur = demarche.administrateurs.find do |administrateur|
+        if context[:token]
+          administrateur.valid_api_token?(context[:token])
+        else
+          administrateur.id == context[:administrateur_id]
+        end
+      end
+
+      if administrateur
+        context[:authorized][demarche.id] = true
+        true
+      end
+    end
   end
 end

app/graphql/types/demarche_type.rb

@@ -46,5 +46,9 @@ module Types
 
       dossiers
     end
+
+    def self.authorized?(object, context)
+      authorized_demarche?(object, context)
+    end
   end
 end

app/graphql/types/dossier_type.rb

@@ -38,5 +38,9 @@ module Types
     def instructeurs
       Loaders::Association.for(object.class, :followers_instructeurs).load(object)
     end
+
+    def self.authorized?(object, context)
+      authorized_demarche?(object.procedure, context)
+    end
   end
 end