Feature Request: Whitelisting instead of Blacklisting

[gentle-noah]

Hey, I absolutely love this. Thank you so much for your hard work on graphql-shield. One thing that I feel would be super useful is a whitelisting in place of blacklisting feature. Locking everything down and then explicitly exposing access would go a long way to help people develop better habits, be more involved with this part of the process and I think create all around more secure systems.

[maticzav]

Hey @gentle-noah 👋

I am so happy to hear that you love graphql-shield. I couldn't agree with you more! The first version was already whitelisting instead of blacklisting, but there were some major issues with permissions tree creation and I postponed the whole thing so that I could get users' feedback faster.

I have found the solution to previous problems and will be adding whitelisting back to the workflow as soon as possible.

Thank you so much for your feedback! 🙂

[schickling]

I'm pretty convinced that blacklisting is still the better default but I agree, that there should be an option to make graphql-shield whitelist-based.

[gentle-noah]

@schickling - totally agree here. I think most people will find the blacklisting more helpful and easier to implement by default. There are a few industries that will find the whitelisting option more useful, which is why it would be great to have it as an option. I'm mostly thinking about any health tech that needs to be HIPPA compliant in the US and most fintech applications. Having the option makes this awesome tech much more accessible to companies in those space.

[maticzav]

We have introduced this feature with #119. In light of it, I'll close the issue.