How would I prevent other roles from seeing certain values of a Query

anders · August 8, 2021, 7:37pm

I have an Admin Role and a Regular User Role that are of type User.

I created a

type Query{
  getUsers: [User]
}

type User {
  email: String @unique
  name: String
  quests: [Quest] @relation(name: "user_quests")
  #knight: Knight @relation(name: "user_knight")
  heros: [Hero] @relation(name: "user_knights")
  jobs: [Job] @relation(name: "user_jobs")
  role: UserRole
  follower1: User @relation(name: "user_follower1")
  twitter: String
  profileImage: String
}

that grabs all the User data, what I want is the Admin role to be able to see the email address but not the User role or the client, but with the User collection I created I need to set the permissions to read true for both the regular user role and the public client. How do I prevent the email field being request-able by those roles, and be able to request the email from admin role with the same getUsers query?

ptpaterson · August 12, 2021, 1:03am

It is not possible to hide only some fields with ABAC rules.

The workaround for Graphql to separate fields with permissions is to make a separate UserProfile type that is separate from an UserAccount type, where the former can be more public and the latter requires admin permissions.

This is also possible in plain FQL by, for example, specifying a user permission to have access to a UDF that that gets the user document and only returns the white-listed fields. But this kind of tight control is not yet available with the GraphQL API. You could create a new @embedded type that is a simplified version of the User info, but then you’ll lose benefits of the relationships, since @relation is not permitted on embedded types.

kdilla301 · August 15, 2021, 10:50pm

You can also have to separate UDF functions that can be accessed according to the ABAC user roles you set. For example:

type Query {
  getUsers: [User]
  getUsersForAdmin: [User]
}

Then in the FQL of the UDFs, you can hide specific values that are returned back with the Merge function. Here is a solution someone else implemented. Hiding some fields in the return model - #6 by Luigi_Servini

ptpaterson · August 29, 2021, 10:50pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Hiding document properties based on role Help graphql , abac	2	630	April 21, 2023
Inconsistent security behavior when using UDFs with GraphQL Help graphql , udfs , abac	12	993	April 11, 2022
GraphQL only role Feature Requests graphql , feature-request	6	596	February 28, 2023
Read restriction. (field level) Help fql , best-practices	4	260	June 21, 2022
How to prevent other Users from seeing logged in Users email Help	4	289	May 11, 2022

How would I prevent other roles from seeing certain values of a Query

Related Topics