Also and forgive me if this is more general graphql oriented Prisma #orm-help

Also -- and forgive me if this is more general gra...

timwis

05/17/2018, 12:12 PM

Also -- and forgive me if this is more general graphql-oriented than prisma -- I'm trying to wrap my head around how authorisation would work in my app, particularly with nested data. Like if a supervisor (user) can only see the "private notes" of employees (users) that report up to her, i know how i'd enforce that on the root level, putting a check in the

notes

resolver. but what's to stop someone from making a

users

query, and including the

manager

property, and the

notes

on that manager? Would that still hit the root level

notes

resolver? If so, is the way to solve issues like these by running a check on the

parent

arg too?

timwis

05/17/2018, 12:17 PM

I felt a bit more protected here with PostGraphQL because of row-level security. Just trying to understand how I'd implement it in a more traditional graphql server, and with prisma.

nilan

05/17/2018, 12:25 PM

you can also write type-based resolvers, so that's an aspect to keep in mind. no matter where the type is returned in a query, the type resolver will be executed. I see two common approaches for handling authorization these days. Both should be a good fit for your situation. - directive based approach: https://blog.graph.cool/graphql-directive-permissions-authorization-made-easy-54c076b5368e cc @lawjolla - middleware based approach: https://github.com/maticzav/graphql-shield / https://github.com/graphcool/graphql-middleware cc @matic #graphql-middleware

matic

05/17/2018, 12:27 PM

checkout

graphql-shield

as well!

timwis

05/17/2018, 1:14 PM

thanks i'll check these out. was just reading apollo's blog post on authorisation, which was helpful but didn't quite go to this depth

Open in Slack

Previous Next