How to achieve field level auth at the moment?

Users GraphQL
,
1

I will explain my issue, but first let me tell you a quick overview.
I am creating a POC for a new project which has little bit similar functionality to the DevJokes Example repo here - graphql-sample-apps/dev-jokes at master · dgraph-io/graphql-sample-apps · GitHub

My Frontend is going to be connected to the Slash GraphQL directly and there is no server in-between.

to summarize, Users would be able to post stuff that needs to go through an Approval Process. this is present in the example linked above, but when I looked at the implementation in details, it is just that the AddPost Mutation that is sending from the Frontend has the field ‘isApproved’ being passed as false.
Now, I made a new mutation sending directly from Insomnia and sent the ‘isApproved’ field as true and the post got approved.

What I want to know that given a simple type, something like following, how do I make sure that while adding and updating the isApproved field is ALWAYS false and only people with special roles are able to set that particular field value to true.
Note that the users should be able to edit their own posts but other fields such as title and description and there will be more fields later.

Here is the relevant part of the schema, without any auth rules:

type User {
  id: ID!
  posts: [Post!] @hasInverse(field: user)
  email: String! @search(by: [exact, regexp])
  isEmailVerfied: Boolean
}


type Post {
  id: ID!
  user: User!
  title: String! @search(by: [fulltext])
  description: String
  isApproved: Boolean
}
1 Like
2

I would do it with a connected node that controls if it is approved and then only allow adding/updating on that connected node to approvers. But how then to filter to show only the approved Posts? Do it with an auth query rule itself.

type User {
  id: ID!
  posts: [Post!] @hasInverse(field: user)
  email: String! @search(by: [exact, regexp])
  isEmailVerfied: Boolean
}


type Post @auth(
  query: { or: [
    {
      # role based rule for approver to see all
    }
    { rule: "query { queryPost { approved { __typename } } }" }
  ]}
) {
  id: ID!
  user: User!
  title: String! @search(by: [fulltext])
  description: String
  approved: Approval
}

type Approval @auth(
  add: # rules here to block non approvers
  update: # rules here to block non approvers
  delete: # rules here to delete non approvers
) {
  approvedBy: User!
  approved: Post! @hasInverse(field: "approved")
}
1 Like
3

I see,

thank you for the detailed response @amaster507

Actually in the requirements, the User also has to be approved via a verification process first, so I should be able to do a similar thing at the User-level it self right ?

1 Like