Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorizer: Pass operation type in addition to context #1026

Closed
mwoelk opened this issue Mar 30, 2021 · 0 comments · Fixed by #1055
Closed

Authorizer: Pass operation type in addition to context #1026

mwoelk opened this issue Mar 30, 2021 · 0 comments · Fixed by #1055
Labels
enhancement New feature or request

Comments

@mwoelk
Copy link
Contributor

mwoelk commented Mar 30, 2021

Is your feature request related to a problem? Please describe.
Right now a custom Authorizer can be defined by e.g. implementing Authorizer and passing the new class via a decorator.
In the implementation of the authorize function we are only passed the graphql context.
The authorization applies the same to all operations (query/updateOne/updateMany/etc...).
Often we might have different authorization requirements for read/write operations.

E.g. a user might be allowed to read all other users but should only be allowed to update/delete his own user.

Have you read the Contributing Guidelines?

yes

Describe the solution you'd like

Authorizer Implementation

The authorizer should also receive information on the type of the method that should be authorized and in the best case some additional data that was passed by the user to also allow for fine grained authorization.

Example that would allow to update the isArchived field only on ToDos that are owned by the user:

async authorize(context: GraphqlContext, method: string, data: any) {
    if(method.startsWith('update') && data.update.isArchived) {
       return { ownerId: { eq: context.req.user.id } };
    }
    return {};
}

AuthorizerFilter

The @AuthorizerFilter() could be adapted to pass the name of the decorated function by default to the method argument of the authorize function (this could e.g. be overriden by a decorator argument). In a similar fashion, the @Args of the decorated method should be passed to the data.

Authorize decorator

With such an addition, the @Authorize decorator could also be used to authorize the create* methods by checking the input data and throwing an exception if the creation should be forbidden.

This approach would also keep backwards-compatibility because a user doesn't need to use the method/data arguments in his custom Authorizer.

@mwoelk mwoelk added the enhancement New feature or request label Mar 30, 2021
mwoelk added a commit to mwoelk/nestjs-query that referenced this issue Apr 2, 2021
mwoelk added a commit to mwoelk/nestjs-query that referenced this issue Apr 5, 2021
mwoelk added a commit to mwoelk/nestjs-query that referenced this issue Apr 5, 2021
mwoelk added a commit to mwoelk/nestjs-query that referenced this issue Apr 5, 2021
mwoelk added a commit to mwoelk/nestjs-query that referenced this issue Apr 7, 2021
mwoelk added a commit to mwoelk/nestjs-query that referenced this issue Apr 7, 2021
mwoelk added a commit to mwoelk/nestjs-query that referenced this issue Apr 7, 2021
mwoelk added a commit to mwoelk/nestjs-query that referenced this issue Apr 7, 2021
mwoelk added a commit to mwoelk/nestjs-query that referenced this issue Apr 8, 2021
@doug-martin doug-martin linked a pull request Apr 12, 2021 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant