Search code examples
javascriptjwtgraphqlreact-apollographcool

Manage user roles with Graphcool

I'm using the template graphcool/templates/auth/email-password with Graphcool and I'd like to add the ability to manage user roles.

This is my definition schema:

type User @model {
    id: ID! @isUnique
    createdAt: DateTime!
    updatedAt: DateTime!
    email: String! @isUnique
    password: String!
    role: UserRole!
}

enum UserRole {
    EDITOR,
    MODERATOR,
    ADMIN
}

I'm already receiving the role in the query and saving it in local storage, but anyone would be able to change it affecting the frontend UI (if we add permissions, we shouldn't worry in the server side). What's the best/secure way to manage it?

Solution

  • Are you using the Graphcool framework?

    If you need to setup permissions in the graphcool.yml. I would include the following:

    graphcool.yml

    - operation: User.create
  authenticated: true
  query: permissions/User.graphql:adminRole
- operation: User.read
  authenticated: true
  query: permissions/User.graphql:adminRole
- operation: User.update
  authenticated: true
  query: permissions/User.graphql:adminRole
- operation: User.delete
  authenticated: true
  query: permissions/User.graphql:adminRole

- operation: User.read
  authenticated: true
  query: permissions/User.graphql:user
  fields:
  - id
  - name
  - role
  - createdAt
  - updatedAt
  - email
  - company
- operation: User.update
  authenticated: true
  query: permissions/User.graphql:user
  fields:
  - name
  - company

    User.graphql

    query user($node_id: ID, $user_id: ID!) {
  SomeUserExists(filter: {AND: [{id: $user_id}, {id: $node_id}]})
}

query adminRole($user_id: ID!) {
  SomeUserExists(filter: {id: $user_id, role: ADMIN})
}

    This way the user can only update their name and company. Then the ADMIN user can do read and edit everyone. Only ADMIN users can create or update new users.

    Then you're probably asking how do you create new users? I would use the FaaS code from Graphcool templates for email-password authentication found here:

    https://github.com/graphcool/templates/tree/master/auth/email-password

    The signup.ts file should you how a new user can signup and then the admin creates a new user for you. Inside the signup function you can default the UserRole to what ever you want.

    https://github.com/graphcool/templates/blob/master/auth/email-password/src/signup.ts