https://www.prisma.io/ logo
Join SlackCommunities
Powered by
Is there a way to prevent enumeration of one of my...
# prisma-whats-new
l
Is there a way to prevent enumeration of one of my types, I see a 
list
option for the permissions (https://github.com/graphcool/graphcool-json-schema/blob/master/src/schema.json#L105) but when running 
graphcool deploy
I have the following error:
Copy code
Global
    ✖ unhandled error: Wrong operation defined for ModelPermission. You supplied: 'list'
Also, enumeration seems to be enabled for everyone by default
n
what do you mean with 
enumeration
?
l
I’d like to prevent anyone to get all my Users through a 
allUsers
query
n
remove all permissions for 
User.read
l
Yes, but I still needs that 
User.read
permissions for when someone is accessing a user when listing another type, e.g. ‘Comment’ (which have a ‘User’ author)
n
can you formulate a permission along the lines of this sentence:
"allow a user to read a user node, if they are connected to this user via a comment node"?
l
Allow any user to read any other user provided it's 
id
, prevent 'searching/listing' of all users
n
ok, I see! how would you obtain the id of a user in the first place?
l
Through another type, for instance my 
Post
or my 
Comment
type who both have a relation to 
User
n
and how do they get access to a post or a comment? 🙂
l
Through 
allPosts
for instance, 
Comment
is a relation on 
Post
n
ok, so permissions work from the node perspective - so whether or not you can read a node depends on that node and the relationship to the user
there is no 'list' permission type available currently
l
I understand, it's not a blocking issue, but It might be a nice thing to have
n
yep, I totally agree!
2 Views
Open in Slack
PreviousNext
Powered by