The Guild LogoThe Guild Monogram

Search docs

Search icon

Products by The Guild

Products

Hive logoHive blurred logo

Hive

Schema Registry for your GraphQL Workflows

Envelop Logo

Envelop

Get Started

Plugin Hub > useOperationFieldPermissions

yarn add @envelop/operation-field-permissions

@envelop/operation-field-permissions#

Disallow executing operations that select certain fields. Useful if you want to restrict the scope of certain public API users to a subset of the public GraphQL schema, without triggering execution (e.g. how graphql-shield works).

Note: This plugin and authorization on a resolver level (or via middleware) are complementary. You should still verify whether a viewer is allowed to access certain data within your resolvers.

Installation#

yarn add @envelop/operation-field-permissions

Usage Example#

import { envelop, useSchema } from '@envelop/core'; import { useOperationFieldPermissions } from 'envelop/operation-field-permissions'; const getEnveloped = envelop({ plugins: [ useSchema(schema), useOperationFieldPermissions({ // we can access graphql context here getPermissions: async context => new Set(['Query.greetings', ...context.viewer.permissions]), }), /* ... other envelops */ ], });

Schema

type Query { greetings: [String!]! foo: String }

Operation

query { foo }

Response

{ "data": null, "errors": [ { "message": "Insufficient permissions for selecting 'Query.foo'.", "locations": [ { "line": 2, "column": 2 } ] } ] }

Plugin Details