We don't want the frontend to make its own ability evaluations and want that it relies on the evaluations made in the backend.
While we do reject requests made without permission, the frontend should still have the option to hide or show functionality based on the user abilities. For that, we can expose them via GraphQL.
To prevent code duplication, it should probably look something like the example below. The expose_user_abilities should take care of creating the type and implementing the logic for checking the abilities.
It should not be a field like userAbilities: [Types::OrganizationRoleAbilityEnum!]! because we don't want to evaluate all permissions. We only want to evaluate permissions that are requested from the query.
module Types
class OrganizationType < Types::BaseObject
# [...] other fields
expose_user_abilities %i[invite_member delete_member] # and any other abilities we want to expose
end
end
We don't want the frontend to make its own ability evaluations and want that it relies on the evaluations made in the backend.
While we do reject requests made without permission, the frontend should still have the option to hide or show functionality based on the user abilities. For that, we can expose them via GraphQL.
To prevent code duplication, it should probably look something like the example below. The
expose_user_abilitiesshould take care of creating the type and implementing the logic for checking the abilities.It should not be a field like
userAbilities: [Types::OrganizationRoleAbilityEnum!]!because we don't want to evaluate all permissions. We only want to evaluate permissions that are requested from the query.