How to use the graphql-shield.or function in graphql-shield
To help you get started, we’ve selected a few graphql-shield examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
rsnay / wadayano / server / src / permissions / rules.js View on Github 
} else if (args) {
id = args.id || args.courseId;
}
if (!id) { return false; }
const userInfo = getUserInfo(context);
return (!userInfo.isInstructor) && context.db.exists.Course({
id: id,
students_some: {
id: userInfo.userId
}
});
});
const canAccessCourse = or(enrolledInCourse, ownsCourse);
const ownsQuiz = rule({
cache: 'strict',
fragment: 'fragment QuizId on Quiz { id }'
}) ((parent, args, context, info) => {
console.log('SHIELD: ownsQuiz?', args);
// ID to check could be parent object (from resolver), or `id` or similar argument from query
let id = null;
if (parent && parent.id) {
id = parent.id;
} else if (args) {
id = args.id || args.quizId;
}
if (!id) { return false; }
const userInfo = getUserInfo(context);}
if (!id) { return false; }
const userInfo = getUserInfo(context);
return (!userInfo.isInstructor) && context.db.exists.Quiz({
id: id,
course: {
students_some: {
id: userInfo.userId
}
}
});
});
const canAccessQuiz = or(enrolledInQuiz, ownsQuiz);
const ownsQuestion = rule({
cache: 'strict',
fragment: 'fragment QuestionId on Question { id }'
}) ((parent, args, context, info) => {
console.log('SHIELD: ownsQuestion?');
// Question to check could be parent object (from resolver), or `id` or `questionId` argument from query
let id = null;
if (parent && parent.id) {
id = parent.id;
} else if (args) {
id = args.id || args.questionId;
}
if (!id) { return false; }
const userInfo = getUserInfo(context);const userInfo = getUserInfo(context);
return (!userInfo.isInstructor && context.db.exists.Course({
quizzes_some: {
questions_some: {
id: id
}
},
students_some: {
id: userInfo.userId
}
}));
});
const canAccessQuestion = or(enrolledInQuestion, ownsQuestion);
// Unlike other entities in datamodel, a student “owns” a QuizAttempt
const ownsQuizAttempt = rule({
cache: 'strict',
fragment: 'fragment QuizAttemptId on QuizAttempt { id }'
}) ((parent, args, context, info) => {
console.log('SHIELD: ownsQuizAttempt?');
// ID to check could be parent object (from resolver), or `id` or similar argument from query
let id = null;
if (parent && parent.id) {
id = parent.id;
} else if (args) {
id = args.id || args.quizAttemptId;
}
if (!id) { return false; }const email = getUserEmail(ctx)
return ctx.db.exists.Grocer({ email })
},
)
export const isCustomer = rule({ cache: 'contextual' })(
async (parent, args, ctx: Context, info) => {
// console.log('SHIELD: IsCustomer?')
const email = getUserEmail(ctx)
return ctx.db.exists.Customer({ email })
},
)
export const isAuthenticated = or(isCustomer, isGrocer)profilePagePosts: allow,
Comment: allow,
User: or(noEmailFilter, isAdmin),
isLoggedIn: allow,
Badge: allow,
PostsEmotionsCountByEmotion: allow,
PostsEmotionsByCurrentUser: isAuthenticated,
blockedUsers: isAuthenticated,
notifications: isAuthenticated,
Donations: isAuthenticated,
},
Mutation: {
'*': deny,
login: allow,
SignupByInvitation: allow,
Signup: or(publicRegistration, isAdmin),
SignupVerification: allow,
UpdateUser: onlyYourself,
CreatePost: isAuthenticated,
UpdatePost: isAuthor,
DeletePost: isAuthor,
fileReport: isAuthenticated,
CreateSocialMedia: isAuthenticated,
UpdateSocialMedia: isMySocialMedia,
DeleteSocialMedia: isMySocialMedia,
// AddBadgeRewarded: isAdmin,
// RemoveBadgeRewarded: isAdmin,
reward: isAdmin,
unreward: isAdmin,
followUser: isAuthenticated,
unfollowUser: isAuthenticated,
shout: isAuthenticated,const userInfo = getUserInfo(context);
// Is there a better way to resolve this?
return (userInfo.isInstructor && context.db.exists.QuizAttempt({
quiz: {
course: {
instructors_some: {
id: userInfo.userId
}
}
}
}));
});
const canAccessQuizAttempt = or(ownsQuizAttempt, instructorForQuizAttempt);
module.exports = {
isStudent,
isInstructor,
isAuthenticated,
ownsCourse,
enrolledInCourse,
canAccessCourse,
ownsQuiz,
enrolledInQuiz,
canAccessQuiz,
ownsQuestion,
enrolledInQuestion,RETURN author
`, { postId })
const [author] = result.records.map((record) => {
return record.get('author')
})
const { properties: { id: authorId } } = author
session.close()
return authorId === user.id
})
// Permissions
const permissions = shield({
Query: {
statistics: allow,
currentUser: allow,
Post: or(onlyEnabledContent, isModerator)
},
Mutation: {
CreatePost: isAuthenticated,
UpdatePost: isAuthor,
DeletePost: isAuthor,
report: isAuthenticated,
CreateBadge: isAdmin,
UpdateBadge: isAdmin,
DeleteBadge: isAdmin,
// addFruitToBasket: isAuthenticated
follow: isAuthenticated,
unfollow: isAuthenticated,
shout: isAuthenticated,
unshout: isAuthenticated,
changePassword: isAuthenticated,
enable: isModerator,(acc: IOperations, key: string) => {
if (key === 'Query' || key === 'Mutation') {
acc[key] = Object.keys(operations[key]).reduce(
(queries, name) => {
queries[name] = operations[key][name].length > 1
? or(...operations[key][name])
: operations[key][name][0]
return queries
},
{},
)
}
if (Array.isArray(operations[key])) {
acc[key] = or(...operations[key])
}
return acc
},
{},module.exports = shield({
Mutation: {
addAthletesToFinalsLeaderboard: and(rules.isAuthenticated, rules.isAdmin),
createWorkoutScore: rules.isAuthenticated,
lockCompetitionQualifiersLeaderboards: and(
rules.isAuthenticated,
rules.isAdmin
),
unlockCompetitionQualifiersLeaderboards: and(
rules.isAuthenticated,
rules.isAdmin
),
updateAthleteProfile: and(
rules.isAuthenticated,
or(rules.isAdmin, rules.isMe)
),
updateWorkoutScore: rules.isAuthenticated
},
Query: {
athlete: and(rules.isAuthenticated, or(rules.isMe, rules.isAdmin)),
athletes: and(rules.isAuthenticated, rules.isAdmin),
getRelevantFinalsLeaderboards: rules.isAuthenticated,
getRelevantQualifiersLeaderboard: rules.isAuthenticated,
me: rules.isAuthenticated
}
})DeleteUser: isDeletingOwnAccount,
requestPasswordReset: allow,
resetPassword: allow,
AddPostEmotions: isAuthenticated,
RemovePostEmotions: isAuthenticated,
block: isAuthenticated,
unblock: isAuthenticated,
markAsRead: isAuthenticated,
AddEmailAddress: isAuthenticated,
VerifyEmailAddress: isAuthenticated,
pinPost: isAdmin,
unpinPost: isAdmin,
UpdateDonations: isAdmin,
},
User: {
email: or(isMyOwn, isAdmin),
},
},
{
debug,
allowExternalErrors,
fallbackRule: allow,
},
)graphql-shield
GraphQL Server permissions as another layer of abstraction!
