0
I’d like to implement a basic Post system, such as described in the documentation.
A Post is related to a user, I’d like a Post to be only created/updated/deleted by its author.
type Post {
title: String!
content: String!
author: User! @relationship(type: "AUTHORED", direction: IN)
}
type User @authorization(validate: [{ when: [BEFORE], where: { node: { id: "$jwt.sub" } } }]$
id: ID @id
username: String!
password: String! #@private
roles: [String!]
}
As I set authorization for User, creating or accessing a Post is working fine when sending the right token, e.g. with
mutation CreatePosts {
createPosts(
input: [
{
author: {
connect: {
where: { node: { id: "bab52c2f-9e09-4abc-871c-c921686a0ab0" } }
}
}
content: "content"
title: "title"
}
]
) {
posts {
content
title
author {
username
}
}
}
}
With this schema setting, no authorization is needed to delete a Post, and that’s an issue.
I tried to restrict with the following, coming from the documentation :
type Post @authorization(filter: [
{ where: { node: { author: { id: "$jwt.sub" } } } }
]) {
...
- with a correct token, the returned author after
CreatePostsisnull - with a bad token, I get
"Forbidden"
With @authorization(validate: ... I always get "Forbidden".
I couldn’t manage to use @authentication with other restriction that roles_INCLUDES.
Thanks very much for your help.
asked Jul 25 at 11:42
François RioultFrançois Rioult
52 bronze badges
|