Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FR: GraphQL support for advanced/custom permissions #4845

Open
Mosnar opened this issue Aug 28, 2019 · 1 comment

Comments

@Mosnar
Copy link
Contributor

commented Aug 28, 2019

Description

Tokens & schemas are really geared towards very generalized permissions, which is great! However, at this point it's not possible to write granular permissions based on some custom criteria. For example, if I were to want to convert the Craft ID interface to GraphQL, I would not be able to restrict the permissions down such that I can only query for plugins or sales that I'm allowed to see. Consider another example where I have a "Users" field on an element to designate some additional owners of that element.

This presents are fairly difficult problem to solve as well as some security implications. I'm imagining this would need to be developed similarly to how custom element types are built in Craft, whereby a query builder is modified and maintained internally by the element. This change would need to be able to ensure the user isn't able to add some query criteria to leak out data that they're not allowed to see. For example, I shouldn't be able to just explicitly specify the id of another element to include it in my results.

Additional info

  • Craft version: 3.3.0.1
  • PHP version: N/A
  • Database driver & version: N/A
  • Plugins & versions: N/A
@narration-sd

This comment has been minimized.

Copy link
Contributor

commented Aug 28, 2019

Andris will have to say, but you'd think a simple add of a 'Guard also by logged in permissions' choice would be easy as a checkbox, since the GraphQ ends up as Element queries internally.

Such a permiso could be applied to Users and any other items that turn out to need it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.