pkqk
commented
6 days ago Hi @RomBurunduk, currently the example authorization and the version we run at @movio are both based on the allowlist. We haven't yet added a denylist option.
After a brief look you could alter the AllowedFields struct in auth.go so that IsAllowed checks for a deny option as well as the allow checks.
It could be marshalled as a - for example, so a simple permission looked like:
{
"query": "*",
"mutation": "-"
}
Access control is now implemented on a whitelist basis. Is there any way to deny access to some request? In case there are several subqueries in one query - skip one and deny the other.