Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
FR: GraphQL support for advanced/custom permissions #4845
Tokens & schemas are really geared towards very generalized permissions, which is great! However, at this point it's not possible to write granular permissions based on some custom criteria. For example, if I were to want to convert the Craft ID interface to GraphQL, I would not be able to restrict the permissions down such that I can only query for plugins or sales that I'm allowed to see. Consider another example where I have a "Users" field on an element to designate some additional owners of that element.
This presents are fairly difficult problem to solve as well as some security implications. I'm imagining this would need to be developed similarly to how custom element types are built in Craft, whereby a query builder is modified and maintained internally by the element. This change would need to be able to ensure the user isn't able to add some query criteria to leak out data that they're not allowed to see. For example, I shouldn't be able to just explicitly specify the id of another element to include it in my results.
Andris will have to say, but you'd think a simple add of a 'Guard also by logged in permissions' choice would be easy as a checkbox, since the GraphQ ends up as Element queries internally.
Such a permiso could be applied to Users and any other items that turn out to need it.