https://www.prisma.io/ logo
Join Slack
Powered by
I needed some guidance with authorising prisma que...
# orm-help
r
I needed some guidance with authorising prisma queries. I'll try to explain the use-case we have. This is how part of model we have looks like:
Copy code
type User {
	id: ID! @unique
	username: String!
	password: String!
	memberships: [Membership!]!
	...
	...
}

type Blog {
	id: ID! @unique
	name: String!
	isPublished: Boolean @default(value: "false")
	...
	...
}

type Membership {
	id: ID! @unique
	user: User!
	blog: Blog
	...
	...
}
Now, what I need to do is, whenever query for getting blogs is made, I need to return only those blogs which user has membership of and have been published. Also, I need to respect arguments passed by client in query. Current resolver code without any authorization check looks like
Copy code
blogs: async (_, args, ctx: Context, info) => {
    return ctx.prisma.query.blogs(args, info)
}
One way of achieving this would have been filtering out records returned by Prisma binding call but there is no guarantee that id and isPublished flag would be returned in response.
n
how is a user authenticated?
is there a way to get the id of the currently authenticated user?
r
We have used directives for authenticating user which verifies if token is valid and corresponding user is present in database. Once user is authenticated, user object is set in context
n
ok then you can access the context to get the user id and filter the blogs respectively
can you share the 
blogs
query from your schema?
r
ctx.user object is something like:
Copy code
{  
     id
     username
     ...
     ...
     memberships [{
        id
        blog {
             id
             isPublished
         }
     },
     ...]
}
n
why are you querying the entire user + memberships for every request?
r
The problem with filtering out records is, I am not sure if blog id and isPublished flag would be returned in response of prisma binding call. It would depend on fields queried by user
n
can you share the 
blogs
query from your schema?
r
Most of my mutations and queries are dependent on membership that is the reason I query them in authentication directive
Query:
Copy code
blogs(where: BlogWhereInput, orderBy: BlogOrderByInput, skip: Int, after: String, before: String, first: Int, last: Int): [Blog]! @isAuthenticated
n
ok, so all you have to do is to "merge" the incoming 
where
like so:
Copy code
AND: [{isPublished: true}, {memberships_some: { user: { id: userId } } }, {...incomingWhere}]
r
I'll give this a try. Just need to verify what happens if 
isPublished
flag is passed in where as well
n
If it is 
isPublished: false
it would return no elements.
but this is unexpected client behaviour
you can also think about making the filter arguments more specific for your 
blogs
query
or even just offer a 
publishedBlogsByUser
query without any filter arguments
r
Thanks Nilan. Having UI specific queries instead of generic one's is making sense to me.
Thank you for the help 🙂
👍 1
6 Views
Open in Slack
PreviousNext
Powered by