Open marktani opened 6 years ago
marktani
commented
6 years ago 
How should that look like in your opinion? The EVERYONE and AUTHENTICATED permissions would be straight-forward, but how about permission queries?
I'd like to brainstorm about possible PQs and what variables would be needed as a result 🙂
$user_id makes a lot of sense here, what do you think about having access to the scalar input values a well?
marktani
commented
6 years ago 
I already took the first part into consideration when I came up with this. So this fits in there nicely.
Regarding fields, yes I think that it would be the most consistent behavior if input values are available to the PQ.
Also, regarding the PQ themselves. If I have a SE that acts on an existing type (highlightPost(postId: ID!)), it makes perfect sense to use SomePostExist in a PQ, so I think they can for the most part behave like the other PQ's. Especially with the calling context available (can't find the FR), having $user_id in there starts making sense too!
marktani
commented
6 years ago 
What about using the same permission syntax as a check in order to call the function.
I.E.
- operation: MyFunctionName
authenticated: true
query: ./should-call-my-func.graphqlAnd if that query passes the function will be invoked.
marktani
commented
6 years ago marktani
commented
6 years ago 
+1 Currently permissions work for crud operations or has this change with v1.0?
marktani
commented
6 years ago 
FWIW this is how permissions are supposed to be handled in Prisma at this point: https://www.prismagraphql.com/docs/tutorials/graphql-server-development/permissions-thohp1zaih Is there still a reason to have a separate mechanism for defining permissions?
ahsanwtc
commented
6 years ago yeah would be nice to have restricted access to certain resolvers
Currently, there's no way to define permissions for resolver function queries and mutations.