Entity-Level Authorization: Does It Make Sense? Existing Solutions?

[eduardolundgren]

I've come across the need of applying the concept of entity-level authorization in a project, where during a query, each object is checked to see if the current user can interact with it. An example would be ensuring a user is associated with the organizationId of an entity.

class Types::Friendship < Types::BaseObject
  # You can only see the details on a `Friendship`
  # if you're one of the people involved in it.
  def self.authorized?(object, context)
    super && (object.to_friend == context[:viewer] || object.from_friend == context[:viewer])
  end
end

Reference: GraphQL-Ruby Authorization.

Does this approach make sense for this project? Are there established ways to achieve this already? Would love to hear insights and alternatives.