Graphqlbundle: Field access control

Created on 23 Aug 2017  路  10Comments  路  Source: overblog/GraphQLBundle

| Q | A
| ---------------- | -----
| Bug report? | no
| Feature request? | maybe
| BC Break report? | no
| RFC? | no
| Version/Branch | x.y.z

I am trying to define field access control on my types, but I need to use the whole object for this decision, not only the value of protected field (which is accessible in expression by object).

Example:

Advert:
    type: object
    config:
        fields:
            id:
                type: Int
            userId:
                type: Int
            description:
                type: String
                access: "@= ???"

In my example I want to allow access to description property only for owner (based on userId) of the Advert object and to forbid it for all others. All other properties should remain accessible for all users.

Is this possible using Expression language with available variables? Or I have to create custom resolvers, where I can check against this condition, for all my fields?

documentation needed question

All 10 comments

i use this

 User:
    type: object
    config:
        fields:
            id:
                type: "ID!"
                builder: "Relay::GlobalId"
                builderConfig:
                    typeName: User
            username:
                type: "String!"
                deprecationReason: "Using e-mail only"
            email:
                type: "String!"
            cards:
                type: "[Card]"
                resolve: "@=resolver('user_card_list', [value])"
                access: "@=value === user"

so you could use
```
access: "@=value.getOwner() === user"

OK, so the value variable is also available in the access control, not only in the resolve context as said in docs?
Does that mean, that access is evaluated in the resolve context and all resolve variables are therefore accessible as well? If so, there should be some information about that in docs.

hi, in access mode you should use object and not value (even if value can be in some case accessible). Note that object is not accessible in mutation because mutation is executed only if access is true vs query that is execute before executing access...
Here the flow:

  • in query mode: execute resolver -> execute access -> manage result in function of access
  • in mutation mode: execute access -> execute resolver if access result is true

need some documentation I think this part is not enough clear...

but object is value of the field, so you cannot check the access as I and @pekarja5 need it

@calvera that's right, my bad :+1:

@mcg-web So, what is the proposed solution for this? In which cases the value variable will be available to use?

the solution of @calvera is the best but not sure it will work for mutation operation... Maybe this is not your use case.

OK, thx

not sure it will work for mutation operation

i'm fine with this because mutation has no 'parent' entity

Was this page helpful?
0 / 5 - 0 ratings