Restrict allowed operations

Restrict allowed operations

You can now restrict access to specific operations using rules when configuring your project's schema.

You can set the following rules when using signed-in or group based authorization:

You can now provide an array of allowed operations when configuring rules.

schema
  @auth(
    providers: [{ type: oidc, issuer: "{{ env.ISSUER_URL }}" }]
    rules: [
      { allow: private, operations: ["read"] }
      { allow: groups, groups: ["moderator"], operations: ["update"] }
      { allow: groups, groups: ["admin"] }
    ]
  ) {
  query: Query
}

The schema above will control data access for:

  • Signed-in users to perform read operations
  • Users of the moderator group to perform update operations
  • Users of the admin group to perform all operations

We'd love to hear your feedback and ideas, so join us on Discord.