Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support field-level auth control #59

Closed
ramnivas opened this issue Jun 17, 2021 · 0 comments · Fixed by #976
Closed

Support field-level auth control #59

ramnivas opened this issue Jun 17, 2021 · 0 comments · Fixed by #976
Labels
auth P2

Comments

@ramnivas
Copy link
Contributor

ramnivas commented Jun 17, 2021
edited

A specific use case:

@access(query = AuthContext.role == "ADMIN" || AuthContext.id == self.id, mutation = AuthContext.role == "ADMIN" || AuthContext.id == self.id)
model User {
  id: Int @pk @autoincrement
  name: String
  membership: Membership?
}

@access(query = AuthContext.role == "ADMIN" || AuthContext.id == self.user.id, mutation = AuthContext.role == "ADMIN" || AuthContext.id == self.user.id)
model Membership {
  id: Int @pk @autoincrement
  kind: String
  user: User
 spouseInfo: String // In real app, more detailed
}

Here we will like users to edit their membership only to the extend of updating the spouseInfo. In other words, users should not be able to assign their membership to another user or change the kind (those must be done by an admin).

Another example:

@access(self.published || AuthContext.role == "admin")
type Concert {
   @pk id ...
   notes: String @auth(AuthContext.role == "admin").
}

Here, notes should be accessible only to "admin"s regardless of if the concert is published.
@ramnivas ramnivas added the auth label Jun 17, 2021
@ramnivas ramnivas added the P2 label May 18, 2023
@ramnivas ramnivas mentioned this issue Jan 5, 2024
Merged
ramnivas added a commit that referenced this issue Jan 5, 2024
@ramnivas
Implement field-level access control (#976)
d68271b 
Support field-level access control in the same way as type-level access control to allow expression models such as:

```exo
@postgres
module ProductDatabase {
  @access(query = true, mutation = AuthContext.role == "admin")
  type Product {
    @pk id: Int = autoIncrement()
    name: String
    salePrice: Float

    @access(AuthContext.role == "admin")
    purchasePrice: Float
  }
}
```

Fixes #59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth P2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Implement field-level access control exograph/exograph
1 participant
@ramnivas