Graphql-engine: Permissions: allow select in subquery only

Created on 25 Jul 2018 · 7Comments · Source: hasura/graphql-engine

I need the data of a table to be available for anonymous but not as a direct query (I don't want it to be able to pull my whole knowledgebase).

Not allowed:

query getClients {
  client { ... }
}

Allowed:

query getProjects {
   projects {
      client { ... }
   }
}

server enhancement

Source

nukinuki

👍7

Most helpful comment

I would also find such a feature quite useful.

T-Specht on 6 Jun 2019

👍4

All 7 comments

Hi @nukinuki, i understand the use-case.
@0x777 will explore the feasibility of implementing such a permission feature.

Meanwhile just curious; would you be able to solve your requirement by creating a Postgres VIEW and setting up anonymous permission for that VIEW? Or do you prefer it to be able to set this up via permissions directly?

praveenweb on 26 Jul 2018

Creating a view can solve this particular example with object relationship. Any ideas for array relationship?

query getProjects {
   projects {
      contacts {
         contact { ... }
      }
   }
}

The example scheme is:

table project: id, name
table contact: id, name, phone
table project_x_contact: id, project_id, contact_id

nukinuki on 26 Jul 2018

@nukinuki Are there any permissions on the projects table? If there aren't then it doesn't matter whether clients can be queried directly or not, you can indirectly just fetch all the clients by fetching all the projects.