Restrict allowed operations

You can now restrict access to specific operations using rules when configuring your project's schema.

You can set the following rules when using signed-in or group based authorization:

get — Allow Fetch by queries
list — Allow Fetch by collection queries
read — Combines both get and list
create — Allow create mutations
update — Allow update mutations
delete — Allow delete mutations

You can now provide an array of allowed operations when configuring rules.


schema
  @auth(
    providers: [{ type: oidc, issuer: "{{ env.ISSUER_URL }}" }]
    rules: [
      { allow: private, operations: [read] }
      { allow: groups, groups: ["moderator"], operations: [update] }
      { allow: groups, groups: ["admin"] }
    ]
  ) {
  query: Query
}

The schema above will control data access for:

Signed-in users to perform read operations
Users of the moderator group to perform update operations
Users of the admin group to perform all operations

Learn more about restricting allowed operations

We'd love to hear your feedback and ideas, so join us on Discord.