How to do Field visibility by object owner (vs authorization)

[nimmolo]

I have been reading about visibility in the docs. The #visible?(context) instance method seems to only consider the context of the current_user - it doesn't have access to the object itself.

The case I'm interested in is the user’s email address. In our app, a user's email should not be visible to anyone but an admin. But users should be queryable by email even to non-logged-in requests. So in order to enable login by email (which finds user by email), the email field cannot be blocked for query resolution with authorized? require_admin etc.

I just don't want to enable non-admin queries of all users, that returns the email field for all the users. I was thinking to hide the field's visibility by checking context[:current_user] against an object.user_id, but object is not available in the #visible? method.

Probably i'm thinking about this in a non-GraphQL way. Is this a common use case? How do people do this?

[rmosolgo]

Hey, great question.

"Visibility" is checked before running any of the query (even before validating the query string), so object isn't available. No fields have been executed, no queries have been started, etc -- there's just no runtime data. All we have is the query string and the context.

If you want to use actual runtime values (objects that are being used to resolve fields), then you have to use some runtime feature to implement this. "Authorization" might work (although you said it above it won't 😅 !) , but also, you could implement the field to return nil for unauthorized users:

field :email, String, description: "The user's email address. (Hidden for non-admins, unless you're requesting your own email address."

def email 
  if object == context[:current_user] || context[:current_user].admin?
    object.email 
  else 
    nil 
  end 
end 

I hope that helps ... hopefully one of those options will do the trick!

[nimmolo]

Yes! Thank you, that is a very helpful explanation - first couple sentences might even be good in the docs.

Although you recommend it clearly in the Resolvers page, it's taking me a long time to get my head around the simple idea that field resolution can happen outside of graphql-ruby, in the Rails app! An approach along those lines would maybe be to resolve a "login-by-email-address" by sending the input hash to a User.authenticate model method, while keeping the email field invisible to non-admins in GraphQL.

[nimmolo]

Now i get it. authorized? is what i need after all.