GraphQL and ACL

Question

We are investigating how we could introduce GraphQL and we are now studying how to use GraphQL with our ACL system.

We basically have this model (as an example):

interface Foo {
  title: string;
}

if you have, lets say, Editing Permissions, then your post model becomes:

interface Foo {
  title: string;
  bar: string;
  foobar: string; 
}

basically, your Foo object is delivered with different fields accordingly with your permissions.

We have been doing some research and a couple of options came out (such as having different types per acl, etc.). But we are not sure what's the best way to do it is.

How should we be describing our types?

You should give a try to https://github.com/maticzav/graphql-shield and see if that fits your case or you may need to roll out your one custom directived around permissions. You can find a working example of the latter here: https://github.com/ecerroni/apollo-connector-kit/blob/master/backend/src/config/_roles-permissions.js — Ric0, Jul 27 '19 at 20:11
Maybe my answer here could be a good starting point: https://stackoverflow.com/questions/49147693/graphql-how-to-distinguish-public-from-private-fields/49152787#49152787 — Herku, Jul 28 '19 at 15:28

GraphQL and ACL

How should we be describing our types?

0 Answers0