The Guild LogoThe Guild Monogram
Envelop Logo

Envelop

Get Started

Plugin Hub > useOperationFieldPermissions

yarn add @envelop/operation-field-permissions

@envelop/operation-field-permissions#

Disallow executing operations that select certain fields. Useful if you want to restrict the scope of certain public API users to a subset of the public GraphQL schema, without triggering execution (e.g. how graphql-shield works).

Note: This plugin and authorization on a resolver level (or via middleware) are complementary. You should still verify whether a viewer is allowed to access certain data within your resolvers.

Installation#

yarn add @envelop/operation-field-permissions

Usage Example#

import { envelop, useSchema } from '@envelop/core' import { useOperationFieldPermissions } from 'envelop/operation-field-permissions' const getEnveloped = envelop({ plugins: [ useSchema(schema), useOperationFieldPermissions({ // we can access graphql context here getPermissions: async context => new Set(['Query.greetings', ...context.viewer.permissions]) }) /* ... other envelops */ ] })

Schema

type Query { greetings: [String!]! foo: String }

Operation

query { foo }

Response

{ "data": null, "errors": [ { "message": "Insufficient permissions for selecting 'Query.foo'.", "locations": [ { "line": 2, "column": 2 } ] } ] }

Plugin Details

Edit on GitHub