@graphback/keycloak-authzAccording to the Keycloak-Authz Relationship Authorization documentation I can apply authorization restrictions on one-to-many fields, like the example below:
const authConfig = {
Task: {
relations: {
taskUsers: { roles: ['admin'] }
allTasksComments: { roles: ['commenter'] }
},
},
Take a look at my auth config below. Note.comments is a one-to-many field.
const authConfig: CrudServicesAuthConfig = {
Note: {
...,
relations: {
// Note.comments oneToMany field
comments: { roles: ['super_admin'] }
}
}
}
Datamodel:
""" @model """
type Note {
""" @id """
_id: ID!
title: String!
description: String
"""
@oneToMany(field: 'note')
"""
comments: [Comment]!
}
""" @model """
type Comment {
""" @id """
_id: ID!
text: String
description: String
}
However I am able to retrieve the comments relation data without any user privileges.
Upon inspection of the KeycloakCrudService, it is comparing the relationField parameter to comments, but this parameter is noteId (as it is in CRUDService), so the auth check is never executed.
To get it to work I would need to do:
Comment: {
relations: {
noteId: { roles: ['super_admin'] }
}
}
Is this a bug or a docs issue?
Automatically generated comment to notify maintainers
/cc @machi1990, @wtrocki
@craicoverflow update docs
Temporary fix added in #2101
@craicoverflow thanks. Looks like the fix just landed in master. What I see here:
/cc @wtrocki
I would love to get back to it once 1.0 dust will settle.
Has this issue been fixed as mentioned by @craicoverflow in #2101? If not then what more needs to be done?
Hi @RinkiyaKeDad - this is not fixed yet. The description already covers what is required to do this, and to be honest it is not an easy fix at all, as yet we are unsure how it can be fixed. You can give it a go, but there are probably better issues to take for now.