Thanks for the update! 
Maybe it’s just me who doesn’t get it, so let’s try to add a bit more context here.
Problem description
We have a permission based authorisation. All users permissions are stored in the user claim in a permissions array. The underlying schema would be
enum Permission {
PERM_1
PERM_2
PERM_3
PERM_4
}
interface CheckAccess {
id: ID!
requiredPermissions: [Permission!]! @search
}
type ProtectedNode implements CheckAccess {
id: ID!
title: String
# from interface
# requiredPermissions: [Permission!]! @search
}
type Context1 {
id: ID!
protectedField: ProtectedNode
}
type Context2 {
id: ID!
protectedField: ProtectedNode
}
Let’s assume two users with permissions
user1 = ["PERM_1", "PERM_3", "PERM_4"]
user2 = ["PERM_2", "PERM_3", "PERM_4"]
Let’s further assume that ProtectedNode needs context awareness and thus it needs to know if it belongs to either Context1 or Context2. Each of the ProtectedNodes require a certain set of permissions to be queryable by the user. Let’s say
// Context 1
{
id: "0x1",
protectedField: {
id: "0x2",
title: "Only users with PERM_1 and PERM_3 can query",
requiredPermissions: [
PERM_1,
PERM_3
]
}
}
and
// Context 2
{
id: "0x3",
protectedField: {
id: "0x4",
title: "Only users with PERM_2 and PERM_4 can query",
requiredPermissions: [
PERM_2,
PERM_4
]
}
}
I now want to query ProtectedNode but I need to check wether the user has sufficient rights. Thus the only protection I could think of would be
interface CheckAccess
@auth(
query: { rule: """{ queryCheckAccess(filter: { requiredPermissions: { in: $permissions } }) { id } }""" }
) {
id: ID!
requiredPermissions: [Permission!]! @search
}
I don’t want to expose 0x2 to user2 since he is missing PERM_1 and vice versa for user1 and 0x4. Still, both users would be able to query both nodes!
The only solution I could think of, is that I add context aware permissions which combine all sorts of possible permission combinations and check for only one single value.
Just to clarify:
- reverse edges are not a possibility