V8-archive: Add User-Roles and Permissions to GraphQL
I understand a lot of work is required to get GraphQL to handle granular authentication. Opening up full access to admin roles was a quick way to make GraphQL usable, but we all know the security implications.
I’m wondering, how much effort would be required to make the GraphQL api read only. It seems to me it would not require granular authentication support. Maybe just have an option that disables all mutations and possibly an option to access the data without a token.
There are a lot of situations where applications don’t care who reads the data, but certainly don’t want to allow anyone to change the data.
clayrisser
All 14 comments
@codejamninja Maybe https://docs.directus.io/api/graphql.html can be helpful.
hemratna
on 23 Mar 2020
@hemratna yes I read through the docs. I don't see any information about using graphql in a read only mode. It seems to me that if you use it, the client has access to all operations.
clayrisser
on 23 Mar 2020
Hey @codejamninja — I'm fairly certain that the GraphQL implementation is Admin only (as you mentioned), and therefore I don't think there's currently a way to limit to readonly. Once the next API refactor is done, we'll be circling back to GraphQL to give it proper Role/Permission support.
benhaynes
on 23 Mar 2020
To achieve better clarity/visibility, we are now tracking feature requests within the Feature Request project board.
This issue being closed does not mean it's not being considered.
benhaynes
on 23 Mar 2020
@benhaynes how do I add it to the feature request board?
clayrisser
on 23 Mar 2020
I did it already — adding it to the Feature Request Project board is what does it.
benhaynes
on 23 Mar 2020
@benhaynes how do I get access to add to the Feature Request board?
clayrisser
on 24 Mar 2020
benhaynes
on 24 Mar 2020
I don’t have access to add.
clayrisser
on 24 Mar 2020
The community adds GitHub tickets, and then our core team decides if they are bugs, feature requests, duplicates, or "won't fix" and then assigns them appropriately. So feel free to add them as tickets to the appropriate repos and we'll get them in there for you! 😄
benhaynes
on 24 Mar 2020
I don’t believe you have it setup in a way where the community has permission to add a ticket.
clayrisser
on 25 Mar 2020
Haha, what I'm saying is you add a GitHub issues here: https://github.com/directus/api/issues/new
And then we (core team) categorize it as a Feature Request (if it is one).
benhaynes
on 25 Mar 2020
Thanks, sorry for the confusion
clayrisser
on 25 Mar 2020
Any updates on this request. Could this feature potentially be a part of v9?
timrosskamp
on 16 Jul 2020
Related issues
binary-koan
·
3Comments
ondronix
·
3Comments
cdwmhcc
·
3Comments
magikstm
·
3Comments
rijkvanzanten
·
3Comments
Most helpful comment
I did it already — adding it to the
Feature RequestProject board is what does it.