Skip to content

Prototyped permissions (#13) #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: dev
Choose a base branch
from
Open

Prototyped permissions (#13) #65

wants to merge 8 commits into from

Conversation

@bdunogier
Copy link
Owner

@bdunogier bdunogier commented Nov 11, 2018
edited
Loading

Custom policies

Introduces custom policies for graphql, and applies them to limit public fields (non public fields aren't shown in the schema for the current user).

content

Restricts interaction with content, with a limitation by type. Applies to types fields inside domain content types groups.

image

image

image

Other

The _repository field will only show up for users with at least one of content/edit, class/update or role/view.

TODO

  • Rename content_type_view to content_type
  • Apply the same checks to {group}._types
  • Consider doing the same thing for a whole group. But there is no limitation for that. Show only if the user has permission on at least one item from the group ? What's the performance hit ?

Prototyped permissions (#13)
b932c6f 
The `_repository` field will only show up for users with at least one of content/edit, class/update or role/view.
Can easily be extended to more granular items.
Bertrand Dunogier added 3 commits November 11, 2018 16:24
Changed expressions to explicitly list policies in 'public' call
8f15573
Custom graphql/content policy
48b76a0 
Allows to restrict which content types a user is allowed to see over graphql.

```
DomainGroupContent:
  type: object
  fields:
    articles:
      type: "[ArticleContent]"
      public: '@=service("ezplatform_graphql.can_user").viewContentOfType("article")'
```

fixup! Custom graphql/content_type_view policy
Added permissions check of group types with graphql/content
738ebf8
@bdunogier bdunogier mentioned this pull request Nov 11, 2018
Open
Bertrand Dunogier added 4 commits November 11, 2018 18:41
Restricted visibility of relation list based on type
e222e4f 
If a relation list field is typed to one domain item, it is only visible if the user has permission for this type.
Added viewer field to platform schema
bef46ba 
Returns the current user:

```
{
  viewer { id login }
}
```
Implemented api key based authentication
5678894 
See doc/security.md

Requires improvements.
Leftover expression language functions
5ccc637
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bdunogier