Search code examples
graphcool

Only allow user to edit own content in Graphcool permissions

I have followed the steps of setting up the Introduction Project at https://www.graph.cool/. In the permissions section for the project I can see and edit the permissions for e.g. Posts:

Graphcool permissions for Posts

When clicking the row that shows that Everyone can Edit Data for a Post, a dialogue appears. There I am able to edit the permission so that only authenticated users may edit posts:

Update permissions for editing Posts

However, how can I make a rule so that users can only edit their own posts, and not posts created by other users?

Solution

  • Your question is perfectly timed :-) Yesterday Graphcool released a new advanced permission system based on GraphQL queries that allow you to declare arbitrary permission rules based on relations in your data.

    Restricting UPDATE permissions to the owner of a post is a trivial example (code below), but i'll encourage you to take a look at the documentation and start thinking about how this feature can help you implement more complex permission rules

    Restricting edits of a post to the author

    query ($node_id: ID!, $user_id: ID!) {
  SomePostExists(filter:{
    id: $node_id,
    author: {id: $user_id}
  })
}

    Documentation

    https://www.graph.cool/blog/2017-04-25-graphql-permission-queries-oolooch8oh/ https://www.graph.cool/docs/tutorials/authorization-content-management-system-miesho4goo/