Graphql 4.0 Create Authorization

rioultf · August 16, 2023, 12:47pm

Hi,
I have the same issue, though I think I went a little farer than you. See my post here.

I managed to require that a post should only be created by its author, but I did not managed to prevent post from deletion.

About your code:

I'm surprised that it is working because operations is not allowed in @authorization
User should be protected by @authorization, not by @authentication. This is enough to let the system verify that only the author can create the post:

type User @authorization(validate: [{ when: [BEFORE], where: { node: { id: "$jwt.sub" } } }]){
...

I managed to add @authorization for Post but it has to include a when: [AFTER] section:

type Post
  @authorization(
     validate: [{
       when: [AFTER],
       where: { node: { author: { id: "$jwt.sub" } } } 
     }]
  ) {

Unfortunately, as previously written, no way here to prevent post from deletion.

Please keep me informed if you could do it.

(I'm also interested in shield, but I confess that I'm tired to get this low documented thing working, I'd rather downgrade to previous version).

Topic		Replies	Views
How to correctly restrict access to nested content in Neo4J-GraphQL? GraphQL & GRANDstack	1	317	August 16, 2023
Neo4j-graphql-js - proposed authorization layer - status? GraphQL & GRANDstack	0	429	January 17, 2020
Type auth rules, and resolved fields GraphQL & GRANDstack	0	262	August 29, 2021
Authorization In GRANDstack w/ Custom Schema Directives Community Content & Blogs	1	1001	October 12, 2018
Authorization In GRANDstack Using Custom Schema Directives GraphQL & GRANDstack auth , authentication , graphql , grandstack	1	1360	October 13, 2018

July Summer Fun!