search

keystonejs / keystone

The superpowered headless CMS for Node.js — built with GraphQL and React
https://keystonejs.com
MIT License
9.18k stars 1.15k forks source link

Field Visibility #2205

Closed cansoysal closed 4 years ago

cansoysal commented 4 years ago

Hi, I'm trying to change field visibility depending user's access-role. In Keystone Classic(v4) there are "hidden" and "noedit" properties. Seems like they are missing in V5.

gautamsi commented 4 years ago

you can use access control, if user read access is denied, they can not see this in admin-ui

cansoysal commented 4 years ago

Ok, If I set field's access: false, it doesn't show up. But if a set it as below, It show up in entry list as 'error'. Create button is present too btw.

product.js

...
store: {
      access: {
        read: access.userIsAdmin,
        update: access.userIsAdmin,
        create: access.userIsAdmin,
        delete: access.userIsAdmin,
        // auth: true,
      },
      type: Relationship,
      ref: 'Store',
    },

store.js

const Store = {
  access: {
    read: access.userIsAdmin,
    update: access.userIsAdmin,
    create: access.userIsAdmin,
    delete: access.userIsAdmin,
  },

access.js

const userIsAdmin = ({ authentication: { item: user } }) => Boolean(user && user.isAdmin);
Screen Shot 2020-01-09 at 15 56 49
justintemps commented 4 years ago

@cansoysal did you ever get any clarity on this?

gautamsi commented 4 years ago

I have a PR which shows read only fields in the UI as disabled fields. https://github.com/keystonejs/keystone/pull/2258

this is only in the admin-ui, the graphql endpoint has to be protected with access control.

if you use a function in access control then this is going to be treated as "maybe true" in admin-ui and let access control protect you

justintemps commented 4 years ago

But then if it's false, I can't access it from graphql either, can I?

gautamsi commented 4 years ago

if it is false you can not use it in GraphQL. maybe true means it does !!function(){} which is true so you see them in admin-ui.

I believe you still see them in GraphQL which evaluates in the backend and eventually deny based on access control.

Sylchi commented 4 years ago

I need to hide some fields and even lists from admin ui, but still would like to use them in graphql. Example -> virtual fields that compute values from user input.

gautamsi commented 4 years ago

I dont think that is possible. it is not hard to implement but have not seen this (or similar requests) on priority list for this repo.

you might want to fork admin ui to do the same. another caveat for that is you will need to form more packages to pass down configurable info.

if https://github.com/keystonejs/keystone/pull/2314 makes it way in, then it is only forking the admin-ui. I even have plan to publish my fork of admin ui with more customisability.

Fabyao commented 4 years ago

@gautamsi Thanks for the clarifications. I am also in the same situation as @Sylchi where I need to hide certain fields and lists from the Admin UI. This is to limit the amount of information the user administering the CMS sees.

Sylchi commented 4 years ago

As far as I know this function has been available in the keystonejs in the earlier versions and has been omitted in the version 5. I guess this has just not been implemented. To me it seems like a core functionality that should be in the main repo.

Use case is where the fields are necessary to be accessable from the api, but are cluttering the admin UI.

MadeByMike commented 4 years ago

We've now added readOnly fields: #2258