GraphQLBundle icon indicating copy to clipboard operation
GraphQLBundle copied to clipboard

Published 20 hours ago verified publisher icon overblog

Field access control

Open pekarja5 opened this issue 8 years ago • 10 comments

Q A
Bug report? no
Feature request? maybe
BC Break report? no
RFC? no
Version/Branch x.y.z

I am trying to define field access control on my types, but I need to use the whole object for this decision, not only the value of protected field (which is accessible in expression by object).

Example:

Advert:
    type: object
    config:
        fields:
            id:
                type: Int
            userId:
                type: Int
            description:
                type: String
                access: "@= ???"

In my example I want to allow access to description property only for owner (based on userId) of the Advert object and to forbid it for all others. All other properties should remain accessible for all users.

Is this possible using Expression language with available variables? Or I have to create custom resolvers, where I can check against this condition, for all my fields?

pekarja5 avatar Aug 23 '17 15:08 pekarja5

i use this

 User:
    type: object
    config:
        fields:
            id:
                type: "ID!"
                builder: "Relay::GlobalId"
                builderConfig:
                    typeName: User
            username:
                type: "String!"
                deprecationReason: "Using e-mail only"
            email:
                type: "String!"
            cards:
                type: "[Card]"
                resolve: "@=resolver('user_card_list', [value])"
                access: "@=value === user"

so you could use

access: "@=value.getOwner() === user"

calvera avatar Aug 23 '17 18:08 calvera

OK, so the value variable is also available in the access control, not only in the resolve context as said in docs? Does that mean, that access is evaluated in the resolve context and all resolve variables are therefore accessible as well? If so, there should be some information about that in docs.

pekarja5 avatar Aug 24 '17 07:08 pekarja5

hi, in access mode you should use object and not value (even if value can be in some case accessible). Note that object is not accessible in mutation because mutation is executed only if access is true vs query that is execute before executing access... Here the flow:

  • in query mode: execute resolver -> execute access -> manage result in function of access
  • in mutation mode: execute access -> execute resolver if access result is true

mcg-web avatar Aug 24 '17 08:08 mcg-web

need some documentation I think this part is not enough clear...

mcg-web avatar Aug 24 '17 08:08 mcg-web

but object is value of the field, so you cannot check the access as I and @pekarja5 need it

calvera avatar Aug 24 '17 08:08 calvera

@calvera that's right, my bad :+1:

mcg-web avatar Aug 24 '17 09:08 mcg-web

@mcg-web So, what is the proposed solution for this? In which cases the value variable will be available to use?

pekarja5 avatar Aug 24 '17 10:08 pekarja5

the solution of @calvera is the best but not sure it will work for mutation operation... Maybe this is not your use case.

mcg-web avatar Aug 24 '17 11:08 mcg-web

OK, thx

pekarja5 avatar Aug 24 '17 11:08 pekarja5

not sure it will work for mutation operation

i'm fine with this because mutation has no 'parent' entity

calvera avatar Aug 25 '17 10:08 calvera