Graphql-engine: Permissions: two sets for one "action-role' pair

Created on 2 Jul 2019 · 2Comments · Source: hasura/graphql-engine

I'm trying to figure out if I can put two sets of conditions on one action-role pair.
Here is a use case:

I'd like to enable updating one specific column for all users with a role
I'd like to enable updating all columns for a specific subset of the same role. Smth like that:
{"user":{"_and":[{"seller":{"_eq":true}},{"uid":{"_eq":"X-Hasura-User-Id"}}]}}

However, I can't find a way to implement both of them at the same time.

Please let me know if it's possible.

question

Source

vadbut

Most helpful comment

Hi @vadbut,

The only way I can think to enable your use case is to create a view. And have the desired permission in the view.

Let's say your table name is: product and you wanted to let everyone update the description field.

In the update permissions of the table product you need to select every field but the description. And set the permission to:

{"user":{"_and":[{"seller":{"_eq":true}},{"uid":{"_eq":"X-Hasura-User-Id"}}]}}

Next, you need to create a view, and select the id and description from the product table.

CREATE VIEW public.product_view as SELECT id, description FROM public.product;

Now, in the product_view you need to set the update permission to without any checks and select only the description. You also need to enable the select of id for the same role.

And this is how you would run your mutation:

mutation {
  update_product(where: {id: {_eq: 1}}, set: {all_fields_but_comment: and_values}) {
    affected_rows
  }
  update_product_view(where: {id: {_eq: 1}}, set: {comment: "new_comment"})
    affected_rows
  }
}

Something like that.

leoalves on 2 Jul 2019

👍3 😄1

All 2 comments