search

exAspArk / graphql-guard

Simple authorization gem for GraphQL :lock:
MIT License
472 stars 36 forks source link

Skip authorization on return fields #25

Closed egonm12 closed 5 years ago

egonm12 commented 5 years ago

I am having issues with mutations where I return a type that is guarded. Let's say for example I have a mutation where a user can reset the password with a token it got via a mail and I return a UserType.

mutation($reset_password_token: String, $password: String) {
    newPassword(
      reset_password_token: $reset_password_token,
      password: $password,
      password_confirmation: $password
  ) { id }
}

The problem is that the UserType is guarded but within the mutation I want to skip the UserType guard policy. Is this possible?

exAspArk commented 5 years ago

Hey @egonm12, that's a very interesting use case. GraphQL-Guard itself doesn't allow to skip some guards with a mutation. But just as an idea, you could use the context to understand whether the execution is after the mutation or not, for example:

mutation: ->(obj, args, ctx) do
  user = User.find(...)
  user.change_password(...)
  ctx[:changed_password_user] = user
end

user_guard: ->(obj, args, ctx) do
  ctx[:current_user] == obj || ctx[:changed_password_user] == obj
end

Or simply let the user, who performed the mutation, be "signed in" after the mutation execution:

mutation: ->(obj, args, ctx) do
  user = User.find(...)
  user.change_password(...)
  ctx[current_user] = user
end

user_guard: ->(obj, args, ctx) do
  ctx[:current_user] == obj
end
ghost commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.