graphql single mutation with two authorizations

graphql single mutation with two authorizations


0

i have this mutation that updates tasks, but i don’t want to allow admins to modify the assigned_to field i want this to be only modifi-able by the super-admin, here’s how the code looks currently and just to for clarification i haven’t implmented any authorization or shield codeing yet, it’s my first encounter with graphql

// update task
export const UPDATE_TASK = {
    type: TaskType,
    args: {
        task_id: {type: GraphQLInt},
        due_date: {type: GraphQLString},
        task_status_id: {type: GraphQLInt},
        task_type_id: {type: GraphQLInt},
        assigned_to: {type: GraphQLString},
        client_id: {type: GraphQLString}
    },
    async resolve(parent: any, args: any) {
        const { task_id } = args;
        const task =  await db.Task.update({ ...args },{where: {task_id}});

        if(!task[0]){
            return { notification: {message: "update failed", status: false}};
        };

        return {...task.dataValues, notification: {message: "updated", status: true}}
    }
}

should i make two separate calls to update, one runs with {attributes:{exclude: [‘assigned_to’]}, for normal admins and one for super admins or a complete separate mutation?

also to omit updating the id every time it’s ran should i add the exclude for id’s too?
i use sequelize for ORM

  • mysql
  • typescript
  • graphql
  • orm
  • sequelize.js

Share
Improve this question

1 Answer
1

Reset to default


0

Information about the user should be part of your GraphQL context. With this in mind you can do it all in one mutation.

async resolve(parent: any, {task_id, assigned_to, ...rest}, {user}) {
  let updateObject;

  if (isSuperAdmin(user)) updateObject = {assigned_to, ...rest}
  else if (isAdmin(user)) updateObject = {...rest};
  else if (user.id === assigned_to) … select whatever fields the assigned user can modify
  else return return { notification: {message: "authorization failed", status: false}};

  const [task] =  await db.Task.update(updateObject,{where: {task_id}});
  if(!task) return { notification: {message: "update failed", status: false}};
  return {...task, notification: {message: "updated", status: true}}
  }
}

Where isSuperAdmin(user) is a function that determines whether or not the current user is a superAdmin and isAdmin() similarly determines whether or not the current user is an admin.

Share
Improve this answer



Leave a Reply

Your email address will not be published. Required fields are marked *