-query - checks for valid rules at current state, nothing is changed
-add - checks for valid rules AFTER the data is added
-update - checks for valid rules BEFORE the data is added
-delete - checks for valid rules BEFORE the data is deleted
The problem with these rules is that there are two states to an update mutation - BEFORE the mutation and AFTER the mutation.
This means I can only add data based on the add rules, but I can change the data later with NO rules. This is a problem.
This would be a MINOR update to security, and would add an update-after @auth rule.
THIS IS THE NUMBER 1 MISSING FEATURE IN MY OPINION!
In my opinion, the biggest security risk to DGraph as it stands, is the lack of update-after validation.
https://dgraph.io/docs/graphql/authorization/directive/
Current Auth Rules
-query - checks for valid rules at current state, nothing is changed -add - checks for valid rules AFTER the data is added -update - checks for valid rules BEFORE the data is added -delete - checks for valid rules BEFORE the data is deleted
The problem with these rules is that there are two states to an update mutation - BEFORE the mutation and AFTER the mutation.
This means I can only add data based on the add rules, but I can change the data later with NO rules. This is a problem.
This would be a MINOR update to security, and would add an update-after @auth rule.
THIS IS THE NUMBER 1 MISSING FEATURE IN MY OPINION!
https://discuss.dgraph.io/t/feature-request-update-after-auth-validation/14799
J