Issue: Shield ACL rules not compatible with count query and nested operations (breaking proposal)
maoosi opened this issue · comments
Sylvain commented
Problems
Base path not included in QueryParams.paths
query countPosts {
countPosts
}
{
"operation": "countPosts",
"paths": [], # missing `/count/post`
}
Prisma reserved keywords like connect
, connectOrCreate
missing from QueryParams.paths
mutation createPost {
createPost(
data: {
title: "Hello people"
author: { connect: { id: 1 } }
}
) {
id
title
}
}
{
"operation": "createPost",
"paths": [
"/create/post/author/id", # missing `/create/post/author/connect/id`
"/create/post/title",
"/get/post/id",
"/get/post/title"
]
}
Proposed solution (breaking)
Update QueryParams.paths
to:
- Include base path such as
[action][Model]
(countPosts
) - Include Prisma reserved keywords like
connect
,connectOrCreate
, ... - Make the syntax closer to creating shield rules
countPosts{,/**}
- Allow to create more granular rules such as
createPost/**/connect{,/**}
Example:
mutation createPost {
createPost(
data: {
title: "Hello people"
author: { connect: { id: 1 } }
}
) {
id
title
}
}
Before:
{
"paths": [
"/create/post/title",
"/create/post/author/id",
"/get/post/id",
"/get/post/title"
]
}
After:
{
"paths": [
"createPost",
"createPost/title",
"createPost/author",
"createPost/author/connect",
"createPost/author/connect/id",
"getPost",
"getPost/id",
"getPost/title"
]
}
Breaking changes:
Breaking for people using QueryParams.paths
for custom business logic (most likely inside Hooks).
StephanDecker commented
Thanks for considering these issues :-)
Sylvain commented
Implementing the solution was a lot more changes and work than initially anticipated, but it is now ready and will be released as part of 1.0.0-rc.6
.
Sylvain commented
@cjjenkinson thanks! A new version will be released this week.