Reputation: 27855
GraphQL different result, if different permissions
Imagine there are two clients:
- Client-A has a lot of permissions
- Client-B has few permissions
Both clients send the same request to a GraphQL service.
Both get results.
Should both results be the same, or is it all right that both clients get different results.
With other words: If client-A receives 100 results and client-B receives 30 results, does this violate the spec or the best practice?
I asked what the "big brother" of GraphQL (SQL) does here: Same query, different result (depending on user's permissions)
Upvotes: 0
Views: 53
Answers (2)
Reputation: 76601
This is not a problem by definition. It looks like client-A has privileges to see 70 additional results in comparison to client-B.
Upvotes: 0
Reputation: 5592
I had the same need multiple times, and I simply return different results to clients.
Different in this case means that client B receives some list of elements filtered according to the permissions, while client with full permissions receives non-filtered list.
I don't see anything wrong with this approach. If you blocked the request entirely for client B - that would be wrong in my opinion, there are some results he can see after all.
Upvotes: 2
Related Questions
- Hasura inherited role permission inconsistency
- Graphql only allows one root query?
- graphql- same query with different arguments
- Explanation for different GraphQL directives
- GraphQL scheme based permissions
- How to make Hasura's permissions feature work when two tables are involved?
- Permissions in GraphQL
- GraphQL Authorization / Permission
- How to check permissions and other conditions in GraphQL query?
- Graph api and equivalent FQL method give different results?