Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Feature Request - field level @auth rules #8169

Closed
jdgamble555 opened this issue Aug 26, 2022 · 2 comments
Closed

Feature Request - field level @auth rules #8169

jdgamble555 opened this issue Aug 26, 2022 · 2 comments
Labels
area/graphql Issues related to GraphQL support on Dgraph. community Issue or PR created by the community. kind/feature Something completely new we should consider. Stale

Comments

@jdgamble555
Copy link

https://discuss.dgraph.io/t/how-to-achieve-field-level-auth-at-the-moment/13069
https://discuss.dgraph.io/t/using-auth-on-individual-fields/7208

Currently there is no way to secure a field differently than the entire type.

I have seen around 5 people leave DGraph due to this missing feature alone.

Example 1

Let's say I have:

type Post @auth(...) {
  id: ID!
  title: String!
  votes: [User]
  ...
}

I can use Auth Rules to prevent users from adding and updating the type. But what if I want to allow users to edit a certain field, and only a certain field.

If a user votes, they need to add a connection in the votes type. They should not have access to the other fields.

Example 2

The opposite example is preventing a user from editing a field in a post:

type User @auth(...) {
  id: ID!
  username: String!
  role: Role!
  ...
}

Let's say the role is User. I should not allow a regular user to update their own role to Admin.

The theoretical fix would be to have something like this:

type Post @auth(...) {
  id: ID!
  votes: [User] @auth(... some field based auth rule here)
  ...
}

Security makes and breaks DGraph for a lot of users, and this is one of the important ones.

J
@MichelDiz MichelDiz added the area/graphql Issues related to GraphQL support on Dgraph. label Aug 26, 2022
@jdgamble555 jdgamble555 mentioned this issue Aug 30, 2022
Open
@MichelDiz MichelDiz added kind/feature Something completely new we should consider. and removed feature request labels Sep 9, 2022
@rderbier rderbier moved this to 📋 Backlog in Feature Requests - PM RoadMap Nov 16, 2022
@rderbier rderbier added the community Issue or PR created by the community. label Dec 15, 2022
@rderbier rderbier moved this from 📋 TRIAGE to NOW in Feature Requests - PM RoadMap Jan 4, 2023
@rderbier rderbier moved this from NOW - May Aug 2023 to NEXT - Sept - Dec 2023 in Feature Requests - PM RoadMap Jun 28, 2023
@rderbier
Copy link
Contributor

From community:

Just an additional note on the necessity of field level auth:

An important use case for this is the ability to add comments to a post where the post has a field:

type Post {
   ...
   comments: [Comment] 
}

If any user has update access to the post, the user is able to modify the whole post. Otherwise they are unable to add a comment to the post.
Seeing as "Social media sites, Content Management Systems, and Ecommerce stores" are highlighted in the first page of the docs as use cases, it seems counterintuitive that this functionality isn't possible without some hacky workaround, that isn't consistent with the use of the @auth directive, when all of these use cases have this functionality as ubiquitously fundamental to their design.

The @auth directive could prove as an extremely powerful tool in allowing end users to access data from dgraph, and considering update-after-auth and field level updates are mentioned frequently, it seems an upheaval of the @auth directive is likely a necessity. Not ignoring of course the fact that the existing interface is clunky at best, and could be prone to errors in development.

The redevelopment of this is also beneficial, fiscally, for dgraph cloud, as if the @auth directive could be relied upon for all user access auth, it will reduce the need for purpose built API interfaces to be built on top of dgraph, allowing total public access to the dgraph DB. This in turn would increase the number requests made to the server...

just a thought.

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 1, 2024

This issue has been stale for 60 days and will be closed automatically in 7 days. Comment to keep it open.

@github-actions github-actions bot added the Stale label Aug 1, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Aug 8, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
area/graphql Issues related to GraphQL support on Dgraph. community Issue or PR created by the community. kind/feature Something completely new we should consider. Stale
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MichelDiz @jdgamble555 @rderbier