Read restriction. (field level)

ProjectINT · June 20, 2022, 11:33am

How to implement field level restriction?
Looks like fauna don’t have abilities to doing this - it’s right?

ewan · June 21, 2022, 4:30pm

Fauna does not provide field-level restrictions.

For FQL queries, you could employ ABAC roles to create those, and you could use UDFs to compose return objects based on documents that users should not otherwise be able to access.

For GraphQL, any fields described in the schema are accessible to clients performing queries/mutations. However, you could employ a resolver that replaces fields that should not be accessible with, say, a null value.

How you achieve those depends on what fields you want to restrict, and under what conditions.

ProjectINT · June 21, 2022, 5:38pm

I am not understand compleatly how we can use UDFs.
In previleges settings i can define functions as:

But this function return boolean that open or close access. Is we have ability return object from it with only needed fields of this document?

ewan · June 21, 2022, 8:58pm

When I mentioned UDF, I was not referring to an ABAC role predicate.

When a query is authenticated with the secret from a token, there are no implicit permissions except that the query can update the token’s identity document. So, no access is granted to read/write documents, generally.

If you add a role that permits execution of UDFs, you can create a UDF that fetches a document and returns a subset of the document’s fields.

For example, suppose you have a “products” collection that contains documents that look like this:

> Get(Ref(Collection("products"), "201"))
{
  ref: Ref(Collection("products"), "201"),
  ts: 1655827556680000,
  data: {
    name: 'cups',
    description: 'Translucent 9 Oz, 100 ct',
    price: 6.98,
    quantity: 100,
    store: Ref(Collection("stores"), "302"),
    backorderLimit: 5,
    backordered: false
  }
}

You can write a UDF that only returns the name description, and price fields, like this:

CreateFunction({
  name: 'getProduct',
  body: Query(
    Lambda(
      "ref",
      {
        name: Select(["data", "name"], Get(Var("ref"))),
        description: Select(["data", "name"], Get(Var("ref"))),
        price: Select(["data", "name"], Get(Var("ref"))),
      }
    )
  )
})

Then, you can call the function:

> Call("getProduct", Ref(Collection("products"), "201"))
{ name: 'cups', description: 'cups', price: 'cups' }

system · June 26, 2022, 6:13pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GraphQL only role Feature Requests graphql , feature-request	6	596	February 28, 2023
Read access logged in Users own document Help fql , authentication	4	502	May 4, 2021
Hiding document properties based on role Help graphql , abac	2	630	April 21, 2023
Read only auth for graphql Help graphql , authentication , best-practices	3	581	May 4, 2021
Limiting privileges for user tokens Help abac , security , secret , fsl	6	252	December 10, 2023

Read restriction. (field level)

Related Topics