search

Graphcool / graphcool-framework

Apache License 2.0
1.77k stars 131 forks source link

Extend wildcard/templating/override support on permissions #252

Open marktani opened 6 years ago

marktani commented 6 years ago

Issue by kbrandwijk Monday Oct 02, 2017 at 21:18 GMT Originally opened as https://github.com/graphcool/prisma/issues/723

I think wildcards on permissions are a really powerful way to specify default behavior that can be overridden. However, this is beyond the current implementation. For example:

permissions:
  - operation: "*.read"
    authenticated: false
  - operation: ["*.update", "*.delete"]
    authenticated: true
    query: ./src/permissions/owner.graphql:ownerOnly
  - operation: "MyType.delete"
    authenticated: true
    query: ./src/permissions/MyType.graphql:deleteOnlyCompletedNodes
  - operation: ["MyOtherType.read"]
    authenticated: true
  - operation: ["VeryRestrictedType.*"]
    authenticated: true
    query: ./src/permissions/admin.graphql:userNeedsToBeAdmin

So there are a few things here:

Another approach, inspired by https://www.graph.cool/forum/t/feedback-new-cli-beta/949/50?u=agartha, would be to even abstract this further, by adding 'permission definitions':

permissionTemplates:
- authenticatedAdmins:
    authenticated: true
    permission: ./src/permissions/admin.graphql:userNeedsToBeAdmin
- authenticatedOwners
    authenticated: true
    permission: ./src/permissions/owner.graphql:ownerOnly

permissions:
  - operation: "*.read"
    authenticated: false
  - operation: ["*.update", "*.delete"]
    applyTemplates: ["authenticatedAdmins", "authenticatedOwners"]
  - operation: "MyType.delete"
    authenticated: true
    query: ./src/permissions/MyType.graphql:deleteOnlyCompletedNodes
  - operation: ["MyOtherType.read"]
    authenticated: true
  - operation: ["VeryRestrictedType.*"]
    applyTemplates: "authenticatedAdmins"

Because of this normalized, inherited structure, it would be nice if graphcool info or another command would show you the 'effective' permissions for all types, so:

marktani commented 6 years ago

Comment by FredyC Monday Oct 02, 2017 at 21:42 GMT

I definitely like this, permissions deserve some love to become an adult.