stratosgear
commented
6 years ago Sorry, I do not know how I missed the def validator method in the first page but I found the more obscure mutate method for mutations!!!
And to just wrap it up, with a check of the jwt.get_jwt_claims() in the validator method of the model I can see what roles the user has, so I can block the access by raising an exception.
Closing!
I have protected the
/graphql/endpoint and I require JWT authentication before accepting any requests there.This works correctly, and if the user is not logged in, their request gets rejected.
With the existing implementation, I can overwrite the
MyModel.mutateand veto any mutations on the models that the user does not have access rights to change (the JWT token that is included in the Authentication Headers includes authorization roles (a list of strings) that allows me to know what models the user can manipulate)What would be the suggested way to also block requests to list/display models that the user should not have access to? Any ideas on how to implement something like that?
Obviously, the Frontend App will be blocking buttons/actions etc that are not allowed to the user, but for security reasons the backend will also require to double check all incoming requests, regardless.