Is there a way to separate classes and fields permissions depending on the type of operation?

[alexander161198]

Hello!
I need to separate access for classes (and fields) in different operations (read in query; update, add, delete in mutations). How can this be done? I found that I can separate access to classes and fields using the Authorization attribute, but didn't find an operation type setting.

For example, I have class Book:

public class book
    {
        public String? title { get; set; }
        public String? isbn { get; set; }
        [Key]
        public Int32 Id { get; set; }
    }

and some mutations:

public async Task<MutationIdResult<int>> add_booktest_book([ScopedService()] InteractiveStoreContext dbcontext, bookTest_bookDataInput bookTest_book)
        {
            try  
            { 
                ...
                dbcontext.bookTest_books.Add(bookTest_bookModel);  
                ...
                return await Task.FromResult(result);  
            } 
            catch (Exception e) 
            { 
                throw new MutationInsertException (e.Message, e);  
            }
        }

public async Task<MutationResult> update_booktest_book([ScopedService()] InteractiveStoreContext dbcontext, bookTest_bookDataInput bookTest_book, IResolverContext resolverContext)
        {
            updateItems = dbcontext.bookTest_books.AsQueryable()   
                
            try  
            { 
                ... 
                int modifiedCount = await dbcontext.SaveChangesAsync();  
                ...
            } 
            catch (Exception e) 
            { ... }
        }

public async Task<MutationResult> delete_booktest_book([ScopedService()] InteractiveStoreContext dbcontext, IResolverContext resolverContext, bookTest_bookDataInput bookTest_book)
        {
            IQueryable<book> entitiesToRemove;  
            ...
            entitiesToRemove = dbcontext.bookTest_books.AsQueryable() ;  

            try  
            {
                 dbcontext.bookTest_books.RemoveRange (entitiesToRemove);  
                 modifiedCount = await dbcontext.SaveChangesAsync() ;  
                 ... 
            } 
            ...
        }

What can I do so that the user could have the right to read and update entities of the class or curtain field, but couldn't delete entities of this class or field? Maybe FilterFieldHandler or something?

Thank you for help.

[PascalSenn]

Hi @alexander161198

You can add the [Authorize] directive also directly onto the mutations. You can then create a Policy for each of the different actions.

[Authorize(Policy = "AddBook")]
public async Task<MutationIdResult<int>> add_booktest_book(...) {...}

[Authorize(Policy = "DeleteBook")]
public async Task<MutationIdResult<int>> delete_booktest_book(...) {...}

[Authorize(Policy = "UpdateBook")]
public async Task<MutationIdResult<int>> update_booktest_book(...){...}

[alexander161198]

Than you for answer!
But I won't be able to set permissions on certain class fields in different operations if I use this approach. Or am I wrong?