ACL managing about relay-starter-kit HOT 10 CLOSED

use more generic/right aproach

/**
 * @todo Server request pipe processing clean implementation #draft.2
 *
 * @url https://www.npmjs.com/package/p-waterfall
 * @url https://github.com/thebigredgeek/apollo-resolvers - parent resollvers
 * @url https://github.com/thebigredgeek/apollo-errors - Throw errors
 *
 * import processingPipe from 'p-waterfall';
 *
 * async function pipelineResolver(parent, args, ctx, ast) {
 *   // Build one parameter accepted as input and returned by each filter
 *   let input = {parent: parent, args: args, ctx: ctx, ast: ast};
 *   let filters = [
 *             value => sanitize(value),
 *             value => audit(value),
 *             value => authenticate(value),
 *             value => authorize(value),
 *             value => validate(value),
 *             value => operation(value)  // The real work the resolver is supposed to do
 *   ];
 *   return await processingPipe(filters, input);
 */

from relay-starter-kit.

@eclipticwld would you give an example of permissions you have in mind that you need to implement in your app?

Something like "only admins can view all published stories, while normal users can see stories that are not marked as spam"? One way to implement that would be by tweaking the "stories" query field:

{
  type: new GraphQLList(StoryType),
  resolve (_, args, context) {
    return db
      .table('stories')
      // Filter the result set based on user's users permissions
      .where(context.isAdmin ? {} : { approved: true })
      .orderBy('created_at', 'desc')
      .select();
  }
}

Or, in a mutation, you could control who can approve a story:

resolve(_, { input }, context) {
  // Check user's permissions
  context.ensureIsAdmin('You must be an admin to approve this sotry.');
  const { id } = fromGlobalId(input.id);
  return db
    .table('stories')
    .where({ id })
    .update({ approved: true });
}

..where context.ensureIsAdmin() is coming from src/Context.js:

class Context {
  constructor(request) {
    // Where request.user is being set by Passport.js
    // and contains a list of "claims" for the current user
    this.user = request.user;
  }
  ...
  get isAdmin() {
    return Boolean(this.user && this.user.isAdmin);
  }
  ensureIsAdmin(message) {
    if (!this.isAdmin) {
      throw new PermissionDenied(message || 'Access denied (requires admin privileges).'); 
    }
  }
}

...or, instead of .isAdmin, .ensureIsAdmin() you could have .canViewAllStories(), .ensureCanApproveStory() helper methods available via GraphQL context.

from relay-starter-kit.

@koistya joining to this discussion, what if I dont want to show my schema to all users? I have an entity(events) which I want to show to everyone, however I do not want send the whole schema, only when user is logged in, is that possible? thanks in advance

from relay-starter-kit.

ACL is Authentication not a Authorisation like in ur eg. @koistya it mean {who} has access {type} to {what}..

@eclipticwld look at discuss ardatan/graphql-tools#313

from relay-starter-kit.

@agborkowski @eclipticwld I'm curious to see an example, where the need for ACLs would be justified (as opposed to in-place authorization rules demonstrated above).

from relay-starter-kit.

@koistya I think your example should cover almost all my cases. Thanks!

How about don't show comment text property to all users except to the author of the comment and author of the story based on some condition? Is it better to place it to Context class?

@agborkowski I'll re-read once again the whole discussion. Thanks.

from relay-starter-kit.

@eclipticwld you can check permissions inside of the resolve() method in Comment.text field:

new GraphQLObjectType({
  name: 'Comment',
  interfaces: [nodeInterface],
  ...
  text: {
    type: GraphQLString,
    resolve(comment, args, { user, storyById }) {
      // Non authenticated users cannot see the text
      if (!user) return null;

      if (user.id === comment.author_id) {
        // The comment's author can see the text
        return comment.text;
      } else {
        // As well as the story's author
        return storyById.load(comment.story_id).then(story =>
          user.id === story.author_id ? comment.text : null
        );
      }
    }
  }
});

...and, return null if the current user is not authorized to see that field. Note, that under normal circumstances the comment entry most likely will be retrieved alongside the story. If so, getting a story by calling storyById.load(..) should not even hit the database at this stage (see src/Context.js).

from relay-starter-kit.

I see. Thanks, @koistya ! It's a tricky part.

from relay-starter-kit.

@ed-zm how do you show schema to all users, by giving them a link to example.com/graphql ? This UI can be disabled in src/app.js > graphiql: false (for production mode). Just trying to understand your use case..

from relay-starter-kit.

@ed-zm im tried think about same problem i thought you should generate schema/resolvers per user session, how ? i didn't solve this problem #graph.cool #graphcms solve this but i think they run full instance per user account

from relay-starter-kit.