Comments (10)
use more generic/right aproach
/**
* @todo Server request pipe processing clean implementation #draft.2
*
* @url https://www.npmjs.com/package/p-waterfall
* @url https://github.com/thebigredgeek/apollo-resolvers - parent resollvers
* @url https://github.com/thebigredgeek/apollo-errors - Throw errors
*
* import processingPipe from 'p-waterfall';
*
* async function pipelineResolver(parent, args, ctx, ast) {
* // Build one parameter accepted as input and returned by each filter
* let input = {parent: parent, args: args, ctx: ctx, ast: ast};
* let filters = [
* value => sanitize(value),
* value => audit(value),
* value => authenticate(value),
* value => authorize(value),
* value => validate(value),
* value => operation(value) // The real work the resolver is supposed to do
* ];
* return await processingPipe(filters, input);
*/
from relay-starter-kit.
@eclipticwld would you give an example of permissions you have in mind that you need to implement in your app?
Something like "only admins can view all published stories, while normal users can see stories that are not marked as spam"? One way to implement that would be by tweaking the "stories" query field:
{
type: new GraphQLList(StoryType),
resolve (_, args, context) {
return db
.table('stories')
// Filter the result set based on user's users permissions
.where(context.isAdmin ? {} : { approved: true })
.orderBy('created_at', 'desc')
.select();
}
}
Or, in a mutation, you could control who can approve a story:
resolve(_, { input }, context) {
// Check user's permissions
context.ensureIsAdmin('You must be an admin to approve this sotry.');
const { id } = fromGlobalId(input.id);
return db
.table('stories')
.where({ id })
.update({ approved: true });
}
..where context.ensureIsAdmin()
is coming from src/Context.js
:
class Context {
constructor(request) {
// Where request.user is being set by Passport.js
// and contains a list of "claims" for the current user
this.user = request.user;
}
...
get isAdmin() {
return Boolean(this.user && this.user.isAdmin);
}
ensureIsAdmin(message) {
if (!this.isAdmin) {
throw new PermissionDenied(message || 'Access denied (requires admin privileges).');
}
}
}
...or, instead of .isAdmin
, .ensureIsAdmin()
you could have .canViewAllStories()
, .ensureCanApproveStory()
helper methods available via GraphQL context.
from relay-starter-kit.
@koistya joining to this discussion, what if I dont want to show my schema to all users? I have an entity(events) which I want to show to everyone, however I do not want send the whole schema, only when user is logged in, is that possible? thanks in advance
from relay-starter-kit.
ACL is Authentication not a Authorisation like in ur eg. @koistya it mean {who} has access {type} to {what}..
@eclipticwld look at discuss ardatan/graphql-tools#313
from relay-starter-kit.
@agborkowski @eclipticwld I'm curious to see an example, where the need for ACLs would be justified (as opposed to in-place authorization rules demonstrated above).
from relay-starter-kit.
@koistya I think your example should cover almost all my cases. Thanks!
How about don't show comment text
property to all users except to the author of the comment and author of the story based on some condition? Is it better to place it to Context class?
@agborkowski I'll re-read once again the whole discussion. Thanks.
from relay-starter-kit.
@eclipticwld you can check permissions inside of the resolve()
method in Comment.text
field:
new GraphQLObjectType({
name: 'Comment',
interfaces: [nodeInterface],
...
text: {
type: GraphQLString,
resolve(comment, args, { user, storyById }) {
// Non authenticated users cannot see the text
if (!user) return null;
if (user.id === comment.author_id) {
// The comment's author can see the text
return comment.text;
} else {
// As well as the story's author
return storyById.load(comment.story_id).then(story =>
user.id === story.author_id ? comment.text : null
);
}
}
}
});
...and, return null
if the current user is not authorized to see that field. Note, that under normal circumstances the comment entry most likely will be retrieved alongside the story. If so, getting a story by calling storyById.load(..)
should not even hit the database at this stage (see src/Context.js
).
from relay-starter-kit.
I see. Thanks, @koistya ! It's a tricky part.
from relay-starter-kit.
@ed-zm how do you show schema to all users, by giving them a link to example.com/graphql ? This UI can be disabled in src/app.js
> graphiql: false
(for production mode). Just trying to understand your use case..
from relay-starter-kit.
@ed-zm im tried think about same problem i thought you should generate schema/resolvers per user session, how ? i didn't solve this problem #graph.cool #graphcms solve this but i think they run full instance per user account
from relay-starter-kit.
Related Issues (20)
- Adding controller/service layer for business logic HOT 3
- MongoDB instead of PostgreSQL HOT 1
- Where is the Passport.js implementation? HOT 1
- Dependabot can't resolve your JavaScript dependency files
- File Upload HOT 3
- Dependabot can't resolve your JavaScript dependency files
- Dependabot can't resolve your JavaScript dependency files
- big int HOT 1
- SyntaxError: Unexpected token = HOT 2
- Missing quotation marks in setup.js HOT 2
- Feature Request: "New Feature Walkthrough"
- Add the flexibility of multiple roles HOT 1
- Bug with emails that have "." in them breaks username requirements
- README.md out of date - no "setup" script HOT 3
- Nightly build fails
- Account settings page does not update
- docker image for the repo HOT 1
- error while run yarn setup HOT 1
- Readme.md has not been updated. HOT 1
- app-deploy.js file does not exists
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from relay-starter-kit.