rebing/graphql-laravel lists all
queries, mutations and subscriptions when you perform
introspection,
even those queries which would not be authorized when called (due to rules in
their #authorize method).
This extension allows us to:
- Define separate rules for calling a query and introspecting a query.
- Only list allowed queries, mutations and subscriptions in an introspection.
For example: you may want to list updatePost mutation for all authors with
authorizeIntrospection, but only allow an author to edit his or her own post
on calling updatePost. Thus:
authorizeIntrospection: allows showing the documentation.authorize: allows calling it with the given arguments.
In your queries, mutations and subscriptions base classes, you may want to add:
<?php
namespace App\GraphQL\Mutation;
use Rebing\GraphQL\Support\Mutation;
class AbstractMutation extends Mutation
{
public function authorizeIntrospection()
{
// Your rule here
return true;
}
public function authorize(array $args)
{
// Only override when you have custom rule according to the $args
return $this->authorizeIntrospection();
}
}composer require "fidelize/graphql-laravel-authorize-introspection"
Replace Rebing\GraphQL\GraphQLServiceProvider with
Fidelize\GraphQLAuthorizedIntrospection\ServiceProvider in your
config/app.php file.