How to use the graphql-shield.and function in graphql-shield
To help you get started, we’ve selected a few graphql-shield examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
este / este / server / api / permissions / index.js View on Github 
});
});
// To check undefined resolvers. Interesting we can use $Keys on Flow interface.
// Unfortunately, we can't use $ObjMap.
// TODO: Update codegen somehow to generate exact types for 100% coverage.
// The ideal DX: 1) add resolver 2) Flow warn about missing or wrong permission.
type Rules = {|
Mutation: { [$Keys]: Function },
Query: { [$Keys]: Function },
|};
const rules: Rules = {
Mutation: {
createWeb: isAuthenticated,
deleteWeb: and(isAuthenticated, isWebCreator(args => args.input.id)),
setTheme: isAuthenticated,
setPageTitle: and(isAuthenticated, isPageCreator(args => args.input.id)),
setWebName: and(isAuthenticated, isWebCreator(args => args.input.id)),
setPageElement: and(isAuthenticated, isPageCreator(args => args.input.id)),
deletePage: and(isAuthenticated, isPageCreator(args => args.input.id)),
},
Query: {
me: allow,
page: and(isAuthenticated, isPageCreator(args => args.id)),
web: and(isAuthenticated, isWebCreator(args => args.id)),
},
};
const permissions = shield(rules);
export default permissions;return ctx.user.role === 'admin'
},
)
const isEditor = rule({ cache: 'contextual' })(
async (parent, args, ctx, info) => {
return ctx.user.role === 'editor'
},
)
// Permissions
const permissions = shield({
Query: {
frontPage: not(isAuthenticated),
fruits: and(isAuthenticated, or(isAdmin, isEditor)),
customers: and(isAuthenticated, isAdmin),
},
Mutation: {
addFruitToBasket: isAuthenticated,
},
Fruit: isAuthenticated,
Customer: isAdmin,
})
const server = GraphQLServer({
typeDefs,
resolvers,
middlewares: [permissions],
context: req => ({
...req,
user: getUser(req),// Unfortunately, we can't use $ObjMap.
// TODO: Update codegen somehow to generate exact types for 100% coverage.
// The ideal DX: 1) add resolver 2) Flow warn about missing or wrong permission.
type Rules = {|
Mutation: { [$Keys]: Function },
Query: { [$Keys]: Function },
|};
const rules: Rules = {
Mutation: {
createWeb: isAuthenticated,
deleteWeb: and(isAuthenticated, isWebCreator(args => args.input.id)),
setTheme: isAuthenticated,
setPageTitle: and(isAuthenticated, isPageCreator(args => args.input.id)),
setWebName: and(isAuthenticated, isWebCreator(args => args.input.id)),
setPageElement: and(isAuthenticated, isPageCreator(args => args.input.id)),
deletePage: and(isAuthenticated, isPageCreator(args => args.input.id)),
},
Query: {
me: allow,
page: and(isAuthenticated, isPageCreator(args => args.id)),
web: and(isAuthenticated, isWebCreator(args => args.id)),
},
};
const permissions = shield(rules);
export default permissions;},
)
const isEditor = rule({ cache: 'contextual' })(
async (parent, args, ctx, info) => {
return ctx.user.role === 'editor'
},
)
// Permissions
const permissions = shield({
Query: {
frontPage: not(isAuthenticated),
fruits: and(isAuthenticated, or(isAdmin, isEditor)),
customers: and(isAuthenticated, isAdmin),
},
Mutation: {
addFruitToBasket: isAuthenticated,
},
Fruit: isAuthenticated,
Customer: isAdmin,
})
const server = GraphQLServer({
typeDefs,
resolvers,
middlewares: [permissions],
context: req => ({
...req,
user: getUser(req),
}),export const wrapRules = (
authenticated: boolean,
authenticatedRule: Rule,
args: IPermissionArgs,
): LogicRule | Rule => {
if (args.query || (args.fields && args.fields.length)) {
return authenticated
? and(authenticatedRule, defaultRule(args))
: defaultRule(args)
}
return authenticatedRule
}const { and, or, shield } = require('graphql-shield')
const rules = require('./rules')
module.exports = shield({
Mutation: {
addAthletesToFinalsLeaderboard: and(rules.isAuthenticated, rules.isAdmin),
createWorkoutScore: rules.isAuthenticated,
lockCompetitionQualifiersLeaderboards: and(
rules.isAuthenticated,
rules.isAdmin
),
unlockCompetitionQualifiersLeaderboards: and(
rules.isAuthenticated,
rules.isAdmin
),
updateAthleteProfile: and(
rules.isAuthenticated,
or(rules.isAdmin, rules.isMe)
),
updateWorkoutScore: rules.isAuthenticated
},
Query: {Query: { [$Keys]: Function },
|};
const rules: Rules = {
Mutation: {
createWeb: isAuthenticated,
deleteWeb: and(isAuthenticated, isWebCreator(args => args.input.id)),
setTheme: isAuthenticated,
setPageTitle: and(isAuthenticated, isPageCreator(args => args.input.id)),
setWebName: and(isAuthenticated, isWebCreator(args => args.input.id)),
setPageElement: and(isAuthenticated, isPageCreator(args => args.input.id)),
deletePage: and(isAuthenticated, isPageCreator(args => args.input.id)),
},
Query: {
me: allow,
page: and(isAuthenticated, isPageCreator(args => args.id)),
web: and(isAuthenticated, isWebCreator(args => args.id)),
},
};
const permissions = shield(rules);
export default permissions;const { and, or, shield } = require('graphql-shield')
const rules = require('./rules')
module.exports = shield({
Mutation: {
addAthletesToFinalsLeaderboard: and(rules.isAuthenticated, rules.isAdmin),
createWorkoutScore: rules.isAuthenticated,
lockCompetitionQualifiersLeaderboards: and(
rules.isAuthenticated,
rules.isAdmin
),
unlockCompetitionQualifiersLeaderboards: and(
rules.isAuthenticated,
rules.isAdmin
),
updateAthleteProfile: and(
rules.isAuthenticated,
or(rules.isAdmin, rules.isMe)
),
updateWorkoutScore: rules.isAuthenticated
},
Query: {
athlete: and(rules.isAuthenticated, or(rules.isMe, rules.isAdmin)),
athletes: and(rules.isAuthenticated, rules.isAdmin),
getRelevantFinalsLeaderboards: rules.isAuthenticated,
getRelevantQualifiersLeaderboard: rules.isAuthenticated,
me: rules.isAuthenticated
}
})lockCompetitionQualifiersLeaderboards: and(
rules.isAuthenticated,
rules.isAdmin
),
unlockCompetitionQualifiersLeaderboards: and(
rules.isAuthenticated,
rules.isAdmin
),
updateAthleteProfile: and(
rules.isAuthenticated,
or(rules.isAdmin, rules.isMe)
),
updateWorkoutScore: rules.isAuthenticated
},
Query: {
athlete: and(rules.isAuthenticated, or(rules.isMe, rules.isAdmin)),
athletes: and(rules.isAuthenticated, rules.isAdmin),
getRelevantFinalsLeaderboards: rules.isAuthenticated,
getRelevantQualifiersLeaderboard: rules.isAuthenticated,
me: rules.isAuthenticated
}
})|};
const rules: Rules = {
Mutation: {
createWeb: isAuthenticated,
deleteWeb: and(isAuthenticated, isWebCreator(args => args.input.id)),
setTheme: isAuthenticated,
setPageTitle: and(isAuthenticated, isPageCreator(args => args.input.id)),
setWebName: and(isAuthenticated, isWebCreator(args => args.input.id)),
setPageElement: and(isAuthenticated, isPageCreator(args => args.input.id)),
deletePage: and(isAuthenticated, isPageCreator(args => args.input.id)),
},
Query: {
me: allow,
page: and(isAuthenticated, isPageCreator(args => args.id)),
web: and(isAuthenticated, isWebCreator(args => args.id)),
},
};
const permissions = shield(rules);
export default permissions;graphql-shield
GraphQL Server permissions as another layer of abstraction!
