From 9a52c8ffee63ecbcedd19189a6b9737ac523346a Mon Sep 17 00:00:00 2001
From: Sylvain <sylfabre@users.noreply.github.com>
Date: Wed, 9 May 2018 18:31:51 +0200
Subject: [PATCH 1/5] doc

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index f951b0bf1..b861cf6ff 100644
--- a/README.md
+++ b/README.md
@@ -66,6 +66,7 @@ Documentation
   - [Promise](Resources/doc/data-fetching/promise.md)
 - [Security](Resources/doc/security/index.md)
   - [Handle CORS](Resources/doc/security/handle-cors.md)
+  - [Object access control](Resources/doc/security/object-access-control.md)
   - [Fields access control](Resources/doc/security/fields-access-control.md)
   - [Fields public control](Resources/doc/security/fields-public-control.md)
   - [Limiting query depth](Resources/doc/security/limiting-query-depth.md)

From edaae0f57718b31888422c7da1344c4ee7497c0f Mon Sep 17 00:00:00 2001
From: Sylvain <sylfabre@users.noreply.github.com>
Date: Wed, 9 May 2018 18:35:08 +0200
Subject: [PATCH 2/5] doc

---
 Resources/doc/security/index.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Resources/doc/security/index.md b/Resources/doc/security/index.md
index be362d504..b49af5486 100644
--- a/Resources/doc/security/index.md
+++ b/Resources/doc/security/index.md
@@ -2,6 +2,7 @@ Security
 ========
 
 * [Handle CORS](handle-cors.md)
+* [Object access control](object-access-control.md)
 * [Fields access control](fields-access-control.md)
 * [Fields public control](fields-public-control.md)
 * [Limiting query depth](limiting-query-depth.md)

From bf2e6cedf4f4a6d14a8bdbbc2c2ea23d41af2e53 Mon Sep 17 00:00:00 2001
From: Sylvain <sylfabre@users.noreply.github.com>
Date: Wed, 9 May 2018 18:39:40 +0200
Subject: [PATCH 3/5] doc

---
 Resources/doc/security/fields-access-control.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Resources/doc/security/fields-access-control.md b/Resources/doc/security/fields-access-control.md
index 523234dc5..235b7a5e8 100644
--- a/Resources/doc/security/fields-access-control.md
+++ b/Resources/doc/security/fields-access-control.md
@@ -5,6 +5,10 @@ An access control can be add on each field using `config.fields.*.access` or glo
 If `config.fields.*.access` value is true field will be normally resolved but will be `null` otherwise.
 Act like access is`true` if not set.
 
+Note: 
+- in query mode: execute resolver -> execute access -> manage result in function of access
+- in mutation mode: execute access -> execute resolver if access result is true
+
 In the example below the Human name is available only for authenticated users.
 
 ```yaml
@@ -32,3 +36,9 @@ Human:
                 description: "The home planet of the human, or null if unknown."
         interfaces: [Character]
 ```
+
+Performance
+-----------
+Checking access on each field can be a performance issue and may be dealt with using:
+- using a custom cache to do the check only once
+- using [Object access control](object-access-control.md)

From 7a7309714865c4e9c52790ccf3a65d6c66ef1258 Mon Sep 17 00:00:00 2001
From: Sylvain <sylfabre@users.noreply.github.com>
Date: Wed, 9 May 2018 18:40:20 +0200
Subject: [PATCH 4/5] typo

---
 Resources/doc/security/fields-access-control.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Resources/doc/security/fields-access-control.md b/Resources/doc/security/fields-access-control.md
index 235b7a5e8..7949edbfb 100644
--- a/Resources/doc/security/fields-access-control.md
+++ b/Resources/doc/security/fields-access-control.md
@@ -1,7 +1,7 @@
 Fields access Control
 ======================
 
-An access control can be add on each field using `config.fields.*.access` or globally with `config.fieldsDefaultAccess`.
+An access control can be added on each field using `config.fields.*.access` or globally with `config.fieldsDefaultAccess`.
 If `config.fields.*.access` value is true field will be normally resolved but will be `null` otherwise.
 Act like access is`true` if not set.
 

From 4515866d4fc2eede2d8e3a2bc11d7c65b2609c8f Mon Sep 17 00:00:00 2001
From: Sylvain <sylfabre@users.noreply.github.com>
Date: Wed, 9 May 2018 18:44:39 +0200
Subject: [PATCH 5/5] doc

---
 .../doc/security/object-access-control.md     | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 Resources/doc/security/object-access-control.md

diff --git a/Resources/doc/security/object-access-control.md b/Resources/doc/security/object-access-control.md
new file mode 100644
index 000000000..fc670a588
--- /dev/null
+++ b/Resources/doc/security/object-access-control.md
@@ -0,0 +1,33 @@
+Object access Control
+======================
+
+If your GraphQL schema have multiple paths to the same resolver, you may end up with duplicated access control on the different fields leading to this resolver.
+
+An access control can be added on the whole object using a decorator type for this protected field and make every parent extend this type.
+
+
+An access control can be added on each field using `config.fields.*.access` or globally with `config.fieldsDefaultAccess`.
+If `config.fields.*.access` value is true field will be normally resolved but will be `null` otherwise.
+Act like access is`true` if not set.
+
+In the example below the user field protection is set by the decorator:
+
+```yaml
+ProtectedUser:
+  type: object
+  decorator: true
+  config:
+      fields: 
+        user: {type: User, access: '@=isAuthenticated()'}
+
+Foo:
+  type: object
+  inherits: [ProtectedUser] 
+  config:
+      fields: 
+        other: {type: String!}
+
+Bar:
+  type: object
+  inherits: [ProtectedUser] 
+```