Postgraphile: Method for hiding auto-introspected functions (graphql and graphiql)

Created on 2 Oct 2017  路  8Comments  路  Source: graphile/postgraphile

I have designed a postgres schema for an application I'm building, and used the wonderful postgraphql tutorial as a basis for the user registration and login.

This includes separating out the user_account table into a private schema (for password_hash, email), a user table for other details (real name, username, etc.) and a function that can be executed by the anon user like the in the tutorial register_user.

This function inputs the data in the user_account and then puts the rest (including the user's new UUID generated from user_account -- this also the method used in the linked https://github.com/membership/membership.db) in user before returning the created user data (not including the user_account row).

However, what I see in the generated _graphiql_ documentation are auto-generated functions from the introspection: createUser, updateUser, deleteUser. I don't really want these functions to be available, or even generated, as I'll have my own custom ones like register_user to manage user data that is split across the two tables.

It's similar to the question here: https://github.com/postgraphql/postgraphql/issues/425, but that one is more about permission levels. The three functions mentioned above are not custom functions written by me.

Is the solution to put the user table (although it's public) in yet another schema and use that in the connection string, and make a function on the connected schema which can call my custom registerUser, deleteUser, and updateUser ?

馃槍 Fixed in v4
Source
picture ortonomy

All 8 comments

You want --disable-default-mutations

https://www.graphile.org/postgraphile/usage-cli/

benjie picture benjie on 2 Oct 2017
👍1

@benjie -- damn that was fast! Thank you for the response.

I've just updated my initial question with this:

Is the solution to put the user table (although it's public) in yet another schema and use that in the connection string, and make a function on the connected schema which can call my custom registerUser, deleteUser, and updateUser?

If I wanted to keep some of the default mutations -- would this be a practical solution?

ortonomy picture ortonomy on 2 Oct 2017

Ref #595

benjie picture benjie on 2 Oct 2017
🎉1

eventually, would that be possible to restrict a specific verb on a specific table (like disable deleteUser only but still have the defaults createUser and updateUser) ?

benbonnet picture benbonnet on 15 Feb 2018

You can write a plugin to do that now, but potentially we could add this in future. File a separate issue for it so I can track it 馃憤

benjie picture benjie on 15 Feb 2018

wow super fast thx a lot! will do rn.

if i may still here; the use case would be to let a single user only be able to retrieve its own posts; disable him to list all posts. I though about this approach; but would there be any others better suited ? Like, enforcing to pass the userId in the allPosts default query ?

benbonnet picture benbonnet on 15 Feb 2018

I'd advise using Row Level Security for this purpose - see https://www.graphile.org/postgraphile/security/

benjie picture benjie on 15 Feb 2018
👍1

There is now at least two different methods of disabling the default mutations (without having to write a plugin):

  1. Smart comments: https://www.graphile.org/postgraphile/smart-comments/#omitting

  2. --no-ignore-rbac / ignoreRBAC: false - and then revoking the relevant method on the table.

benjie picture benjie on 15 Aug 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mrbarletta picture mrbarletta  路  5Comments
ssomnoremac picture ssomnoremac  路  5Comments
5argon picture 5argon  路  4Comments
tonyhschu picture tonyhschu  路  3Comments
calebmer picture calebmer  路  3Comments