Currently there is not way to secure a field differently than the entire type.
I have seen around 5 people leave DGraph due to this missing feature alone.
Example 1
Let's say I have:
type Post @auth(...) {
id: ID!
title: String!
votes: [User]
...
}
I can use Auth Rules to prevent users from adding and updating the type. But what if I want to allow users to edit a certain field, and only a certain field.
If a user votes, they need to add a connection in the votes type. They should not have access to the other fields.
Example 2
The opposite example is preventing a user from editing a field in a post:
type User @auth(...) {
id: ID!
username: String!
role: Role!
...
}
Let's say the role is User. I should not allow a regular user to update their own role to Admin.
The theoretical fix would be to have something like this:
type Post @auth(...) {
id: ID!
votes: [User] @auth(... some field based auth rule here)
...
}
Security makes and breaks DGraph for a lot of users, and will do the same with Outserv IMO.
Currently there is not way to secure a field differently than the entire type.
I have seen around 5 people leave DGraph due to this missing feature alone.
Example 1
Let's say I have:
I can use Auth Rules to prevent users from adding and updating the type. But what if I want to allow users to edit a certain field, and only a certain field.
If a user votes, they need to add a connection in the
votes
type. They should not have access to the other fields.Example 2
The opposite example is preventing a user from editing a field in a post:
Let's say the role is
User
. I should not allow a regular user to update their own role toAdmin
.The theoretical fix would be to have something like this:
Security makes and breaks DGraph for a lot of users, and will do the same with Outserv IMO.
J