graphql-engine
graphql-engine copied to clipboard
Auth/Actions: Allow defining bool expression checks in action permissions
Is your proposal related to a problem?
Motivation: We often find ourselves making queries to the database in the beginning of almost every action for verifying things like:
- Checking whether user belongs to a desirable category/bucket/cohort.
- Checking whether user has the right to modify an entity (ex: is the current user author of the article they're trying to mutate through an action).
Describe the solution you'd like
Hasura to allow defining action permissions based on bool checks built from data in the database, action arguments and session variables. This way, we can avoid writing a lot of repitetive validation by hand. Some sample solutions:
-
Checking whether a user is allowed to use a feature. This can be achieved by a bool expression:
"_exists": { "allowed_users": { "id": { "_eq": "x-hasura-user-id" } } }
-
Proceed with execution only if user is the author of an article. This can be achieved by a bool expression:
"_exists": { "articles": { "id": { "_eq": "$action-args.article_id" }, "author_id": { "_eq": "x-hasura-user-id" } } }
Error definition
Since actions deal with custom business logic, it's important to allow defining custom errors (or error codes) about why the action invocation has failed. Most ideally, I'd like to configure this while defining permissions. Suggested solution:
- Allow defining multiple checks per role permission
- For each check, accept an error message and/or error-code
- Throw this error-message as a part of GraphQL error message and add the code to the extensions
I think this, combined with REST connectors would really be a big step towards improving DX in actions because.
Describe alternatives you've considered
Writing these permission rules by hand.
If the feature is approved, would you be willing to submit a PR?
No.