How to implement readonly access to fields depending on the users Role

[causiz]

Hi, I am evaluatating Graphql as we plan to take over an existing Rest based node app and rewrite it in .NET.

The one thing I can not find a solution or examples for is this:

Given a simple class (e.g. from ef core) how can I limit the update for any single property (so not the object as a whole) to certain roles.

Or to put it the other way round, how can I differentiate "seeing" a field from "changing" it depending on a role?

Any link or explanatioon would be much appreciated ... or even a search term, maybe I just ask Google the wrong question :)
Or maybe there is another way/Best practice how to solve this?

Warmly,

Christian

[tobias-tengler]

If you take a look at the Authorization documentation, you can annotate your properties or mutation methods using the [Authorize] attribute.
There is no such thing as "hiding" fields or getters/setters.
You could for example have the following setup:

type User {
  name: String
  ssn: SocialSecurityNumber @authorize(roles: "Administrator)
}

type Query {
 user(id: ID): User
}

Now only an administrator can query for the ssn field on the user type.

For modification you would have a mutation:

type Mutation {
  setUserSsn(userId: ID, ssn: SocialSecurityNumber): Payload @authorize(policy: "IsOwner")
}

Now only users that fulfill the IsOwner policy can change the ssn of a user.

Hope this helps :)

[causiz]

Thank you very much that was quick :)

And so obvious!

Warmly,

Christian

[causiz]

@tobias-tengler I looked into this and as I understand it from your answer:

If I have more than one mutation working on a field (because different behaviours require a change on this property), then I would need to repeat the authorization for each mutation.
I feel that might be quite error prone (as it is easy to forget) and also repetitive to test.

So I wonder is there an additional way to make it happen to do the authorization - in my case especially for setters - in one place, e.g. on the ObjectType?

I just want to make sure I have not overlooked somethhing before I trie to fiddle around with directives or so.

I just wonder if I somehow have the wrong approach here as differentiating write access to fields by authorization is quite common, isn't it?

I might run into the same problem with skipping properties fully depending on the authorization, but in that case I will open a new conversation.

[tobias-tengler]

You can specify the authorization rule at the type level of the mutation type so it will apply to all the fields of the mutation type, unless specified otherwise for individual fields. It's mentioned here.