-
Notifications
You must be signed in to change notification settings - Fork 972
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
permissions based on content owner - not just role #1640
Comments
This would be cool. Here is an example of how I am checking ownership before returning data. // src/lib/auth.js
export const isOwner = (id) => {
if (context.currentUser.id !== id) {
throw new AuthenticationError('Only the dapp creator can do that.')
}
} Then in your services // services/users/users.js
import { requireAuth, restricted, isOwner } from 'src/lib/auth'
...
export const user = async ({ id }) => {
const user = await db.user.findUnique({ where: { id } })
isOwner(user.id)
return db.user.findUnique({
where: { id },
})
} |
Thank you for your example. Why don't you just return "user" instead of making the same querry like 2 rows above the return? here: return db.user.findUnique({
where: { id },
}) So... you still need to have a table in the db with each user and his indivdual contents ids ? You don't have a way to store this in netlify identity or auth0? |
Right, you could get id from there. I'm using my own auth solution here, with no external auth client, so I have to get the id from my own database https://github.com/oneclickdapp/ethereum-auth Also you're right about not having to do the user query twice for this example |
I would suggest anyone, who is looking into managing permissions in graphql, to check https://github.com/maticzav/graphql-shield it is the best library I know, and I am sure that you will love it too and you will not look for anything else. |
@dthyresson any thoughts here? Seems like there might be a possible use for adding an example to a related cookbook/doc. And/or maybe adding this as an example to the Forum for future knowledgebase. |
I don't think RedwoodJS or I have a strong opinion yet as to the best pattern -- often data permissions are app/org-specific so generalizing them can be tricky. But, yes, a few thoughts: 1 - Re @ccnklc
I have been using 2 - the example @pi0neerpat shows:
is reasonable, however I would:
and also not findUnique twice. I might consider combining the logic to identify ownership and also requireAuth() in 3 - Another approach is to query on the "relationship" that establishes ownership or authorship: Let's say you can only delete posts you published and that
can become
Or only update a Post that you authored where
effectively, it cannot find the model to delete or update due to the where clause. I think you could also join in on the User table if you have one where Author is a User in a one-many relationship to Post. See: https://www.prisma.io/docs/concepts/components/prisma-client/filtering/#filter-on-related-records
I'm not sure if this will raise an exception so may way to try catch and throw a ForbiddenError or if the you would be better off storing in |
These are good suggestions @dthyresson I've also setup Until then, I think keeping the current "write your own permissions checks" is totally sufficient + cookbooks for @dthyresson s wisdom of using shield+redwood Is there a forum discussion for this yet? |
@thedavidprice I think we can close out this issue -- or create a new one for a cookbook or other docs? |
Hi All,
Love your work! I think redwood is going to be the future!
I want to contribute by posting some questions about permissions ;)
How to give permissions i.e. for authors only to the pages/cells/content - they created - not just based on roles ?
Like in github for example. Everyone is a user, but by default only has write access to his own repositories and has access to view and edit his own profile.
I suppose you should make a service to check if a user has the privillege in a database to a given page. Is there a nice standard way to architecture this in redwood not to overkill the database with each page view?
The text was updated successfully, but these errors were encountered: