Reputation: 341
Permissions in GraphQL
How to manage permissions in GraphQL?
For example if someone makes query to retrieve posts, and user doesn't have permissions, what should be response in such case?
How should be response when no permissions for subcollection? For example posts+comments, when user have permissions for posts but not for comments.
Upvotes: 0
Views: 323
Answers (1)
Reputation: 9684
In general, whenever the user doesn't have permission to view the object, you either return null or you return an error. It's really up to you and your requirements. Same for sub-collections.
I know this isn't a very satisfying answer, and I'm sorry. But your question is too broad and there are far too many possible answers, and they all depend on your requirements.
I recommend watching this GraphQL Summit 2017 video "Ryan Chenkie - Handling Authentication and Authorization in GraphQL. It outlines a couple viable approaches with sample code.
Also, here's a recent answer that looks pretty useful Graphql @include with expression
Upvotes: 3
Related Questions
- How to give separate permissions to GraphQL queries in AWS Amplify
- GraphQL implement "not permitted"
- Hasura SELECT permissions for table relationships
- Implementing custom user permissions in GraphQL and Hasura
- GraphQL scheme based permissions
- graphql role based authorization
- GraphQL different result, if different permissions
- Hot to set up permissions for GraphQL with graphene and SQLalchemy
- GraphQL Authorization / Permission
- GraphQL permissions documentation