You can now restrict access to specific operations using rules when configuring your project's schema.
You can set the following rules when using signed-in or group based authorization:
get
— Allow Fetch by querieslist
— Allow Fetch by collection queriesread
— Combines bothget
andlist
create
— Allow create mutationsupdate
— Allow update mutationsdelete
— Allow delete mutations
You can now provide an array of allowed operations when configuring rules.
schema
@auth(
providers: [{ type: oidc, issuer: "{{ env.ISSUER_URL }}" }]
rules: [
{ allow: private, operations: [read] }
{ allow: groups, groups: ["moderator"], operations: [update] }
{ allow: groups, groups: ["admin"] }
]
) {
query: Query
}
The schema above will control data access for:
- Signed-in users to perform
read
operations - Users of the
moderator
group to performupdate
operations - Users of the
admin
group to perform all operations
We'd love to hear your feedback and ideas, so join us on Discord.