craftql icon indicating copy to clipboard operation
craftql copied to clipboard

Published 20 hours ago verified publisher icon markhuot

Craftql and authorization

Open gertst opened this issue 5 years ago • 0 comments

Hi Mark, Hi all,

I'm doing some investigations to use Craft as a headless CMS for a web portal that provides courses for users.

I want to use CraftQL to login a user and do some CRUD functions on several channels. But I don't see how I can avoid having users to read records of other users. A tech-savvy user might fiddle with a graphQl viewer to read out all entries of a channel.

Eg: I have a Channel Results, containing the fields User(id) and Score. How can I make sure that a user can only read out his entry and not others? Things get even worse when allowing mutations.

Can I create a Craft plugin to interface with the CraftQl plugin and block queries/mutations with certain fields/filters? If so, what hooks should be used? Is there some demo code available?

Do I overlook something obvious here or is craftql not the way to go for CRUD functions?

Thanks to share your thoughts on this!

Gert - www.but.be

gertst avatar Oct 25 '19 13:10 gertst