2

Right now I am using accesscontrol to manage the ACL and it is working great. It looks something like this:

const methods = {
  async update(parent, { data }, ctx, info) {
    const acUpdate = ac.can('role').updateOwn('model')
    if (! acUpdate.granted) throw new ACError()

    const filtered = acUpdate.filter({ ...data })
    return await ctx.db.mutation.updateOrganization({
      data: filtered,
      where: { id }
    }, info)
  }
}

However, on a Query method from GraphQL I don't know how to filter the requests to the DB. For example, on a nested query it may look like this:

{
  model {
    id
    name
    user {
      id
      name
      pictures {
        id 
        name
      }
    }
  }
}

So on the resolver it would check if they have access to Model, then it would send the request to the Prisma server without filtering the GQL schema. In this scenario let's say that the user has access to read model but not user. Ideally I'd like to do a permission.filter(...) on the actual request schema (info?) before sending it to Prisma. Have any of you solved this? Of course its possible to filter the request after it has resolved, but that level of computation is not necessary and can cause issues if abused.

Jonathan Reyes
  • 1,387
  • 1
  • 10
  • 23

2 Answers2

0

I found out this is the topic I was addressing in one of my issue responses because I thought it was asked there. I recognize now that I must have confused it with this one being open in one of the tabs in the back.

https://github.com/maticzav/graphql-shield/issues/113#issuecomment-423766569

I think that the second part of my response concerns you the most. I hope you find it helpful!

maticzav
  • 880
  • 9
  • 17
0

I was having the exact same problem and i am now solving it by using prisma client for making the requests to prisma. Prisma client only queries one level deep each time so you get full control of the resolvers also in nested queries. See https://stackoverflow.com/a/53703140/1391050

brafdlog
  • 2,642
  • 1
  • 18
  • 21