Owner role on edit

I've searched around different site but I have not found a solution yet, I have this kind of schema:

type Friendship @relation(name: "FOLLOW") {
  from: User
  to: User
  timestamp: Int
}

type User {
  uuid: ID!
  email: String
  username: String
  password: String
  friendship: [Friendship]
}

or

type Post {
  uuid: ID!
  text: String
  created: DateTime
  modified: DateTime
  owner: User @relation(name: "HAS_POSTS", direction: "IN")
  reviews: [Review] @relation(name: "HAS_REVIEWS", direction: "OUT")
}

and I want to allow the edit of these nodes only by the author of the node, is this possible somehow through neo4j or this is something achievable only through the app acl?

many thanks
Francesco

Hello Francesco,

At this time, the application would need to manage what data an end-user can edit.

In our next release of Neo4j (4.0) which will be available early next year, we are adding role-based access control which will make it easier for applications to manage who accesses different part of the graph.

Elaine

Have you seen the auth directives blog post from @William_Lyon?

Hi,

many thnaks both! yes I read it but is a bit different, my problem is not to create roles/scope but to define the ownership of the node and let only the owner edit this node...

One option would be to use @cypher schema directives to accomplish this. So for example, a mutation to delete all Posts authored by some User would look something like this:

type Mutation {
  deletePostsByUser(userId: ID!): User @cypher("""
    MATCH (u:User {id: $userId})-[:AUTHORED]->(p:Post)
    DETACH DELETE p
    RETURN u
  """)
}

If you are using some sort of auth middleware you can also inject the user specific info (in this case the user id) into the Cypher query. See https://grandstack.io/docs/neo4j-graphql-js-middleware-authorization.html#cypher-parameters-from-context

1 Like