You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to build a GraphQL interface on top of MikroORM. I have the following entities: User, Org, Team, Book. An Org has one owner (User), zero or more administrators (User), and multiple teams. Teams have members (User) and books.
I'm currently stuck on the permission model. I would want API calls to only return what the authenticated user is allowed to see: for example, the following query should return all books owned by a team the current user is part of, or owned by a team itself part of an org that the current user owns or administrates.
My initial thinking was to write a filter to my Team and Book entities. It's not super pretty, but for Team it would look like this (unwrapping a few helper functions):
It's unclear how this would scale. It currently kinda works because conditions aren't too complicated, but I could see that becoming a mess if left unbound. I'm also not sure whether such complex queries are a good practices vs multiple smaller queries (but then I wouldn't be able to benefit from auto-filtering).
It doesn't work. For some reason, owner is checked against Team instead of being checked against the organization field (almost like if $and inside $or was "forgetting" the current context). If you're interested, I put the generated query below:
Problematic Query
SELECT"e0".*FROM"Team"AS"e0"LEFT JOIN"Organization"AS"e1"ON"e0"."organization"="e1"."id"LEFT JOIN"Organization_administrators"AS"e2"ON"e1"."id"="e2"."organization"LEFT JOIN"Team_members"AS"e3"ON"e0"."id"="e3"."team"WHERE ((((
"e0"."owner"='<user id>'AND"e0"."owner"IS NOT NULL)
OR"e2"."user"='<user id>'))
OR"e3"."user"='<user id>')
AND"e0"."organization"IN ('<org id>')
ORDER BY"e0"."organization"ASC- COLUMN e0.owner does NOT exist
But the biggest issue is that it doesn't seem to interact well with populate joins. Looking at the generated SQL filters, the owners/organization/members filter predicates are all applied to the same table as the one used to populate the relevant relationships (and thus "leak" into it). For example, considering the following GraphQL call:
organization {
members {
id
}
}
Since the {members: user} part of the filter predicate will be applied to the same joined table as the one used for the members populate, the list I'll retrieve will only include the current user.
I'm sure this problem is relatively common, so I'm hoping to get some advise on what are good practices regarding database and permission models. Am I going the wrong way with Filters?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I'm trying to build a GraphQL interface on top of MikroORM. I have the following entities: User, Org, Team, Book. An Org has one owner (User), zero or more administrators (User), and multiple teams. Teams have members (User) and books.
I'm currently stuck on the permission model. I would want API calls to only return what the authenticated user is allowed to see: for example, the following query should return all books owned by a team the current user is part of, or owned by a team itself part of an org that the current user owns or administrates.
My initial thinking was to write a filter to my Team and Book entities. It's not super pretty, but for Team it would look like this (unwrapping a few helper functions):
However, I'm worried for a few reasons:
It's unclear how this would scale. It currently kinda works because conditions aren't too complicated, but I could see that becoming a mess if left unbound. I'm also not sure whether such complex queries are a good practices vs multiple smaller queries (but then I wouldn't be able to benefit from auto-filtering).
It doesn't work. For some reason,
owner
is checked againstTeam
instead of being checked against theorganization
field (almost like if$and
inside$or
was "forgetting" the current context). If you're interested, I put the generated query below:Problematic Query
populate
joins. Looking at the generated SQL filters, the owners/organization/members filter predicates are all applied to the same table as the one used to populate the relevant relationships (and thus "leak" into it). For example, considering the following GraphQL call:Since the
{members: user}
part of the filter predicate will be applied to the same joined table as the one used for themembers
populate, the list I'll retrieve will only include the current user.I'm sure this problem is relatively common, so I'm hoping to get some advise on what are good practices regarding database and permission models. Am I going the wrong way with Filters?
Beta Was this translation helpful? Give feedback.
All reactions