如何在 GraphQL 查询中检查权限和其他条件? [英] How to check permissions and other conditions in GraphQL query?
问题描述
我如何检查用户是否有权查看或查询?我不知道该怎么做.
How could I check if user has permission to see or query something? I have no idea how to do this.
- 在
args中?这将如何运作? - 在
resolve()中?查看用户是否有权限以及以某种方式消除/更改一些参数?
- In
args? How would that even work? - In
resolve()? See if user has permission and somehow eliminate/change some of the args?
示例:
如果用户是访客",他只能看到公开的帖子,管理员"可以看到一切.
If user is "visitor", he can only see public posts, "admin" can see everything.
const userRole = 'admin'; // Let's say this could be "admin" or "visitor"
const Query = new GraphQLObjectType({
name: 'Query',
fields: () => {
return {
posts: {
type: new GraphQLList(Post),
args: {
id: {
type: GraphQLString
},
title: {
type: GraphQLString
},
content: {
type: GraphQLString
},
status: {
type: GraphQLInt // 0 means "private", 1 means "public"
},
},
// MongoDB / Mongoose magic happens here
resolve(root, args) {
return PostModel.find(args).exec()
}
}
}
}
})
<小时>
更新 - Mongoose 模型如下所示:
Update - Mongoose model looks something like this:
import mongoose from 'mongoose'
const postSchema = new mongoose.Schema({
title: {
type: String
},
content: {
type: String
},
author: {
type: mongoose.Schema.Types.ObjectId, // From user model/collection
ref: 'User'
},
date: {
type: Date,
default: Date.now
},
status: {
type: Number,
default: 0 // 0 -> "private", 1 -> "public"
},
})
export default mongoose.model('Post', postSchema)
推荐答案
您可以在解析函数或模型层中检查用户的权限.以下是您必须采取的步骤:
You can check a user's permission in the resolve function or in the model layer. Here are the steps you have to take:
- 在执行查询之前对用户进行身份验证.这取决于您的服务器,并且通常发生在 graphql 之外,例如通过查看与请求一起发送的 cookie.有关如何使用 Passport 执行此操作的更多详细信息,请参阅此媒体帖子.js.
将经过身份验证的用户对象或用户 ID 添加到上下文中.在 express-graphql 中,您可以通过上下文参数来实现:
- Authenticate the user before executing the query. This is up to your server and usually happens outside of graphql, for example by looking at the cookie that was sent along with the request. See this Medium post for more details on how to do this using Passport.js.
Add the authenticated user object or user id to the context. In express-graphql you can do it via the context argument:
app.use('/graphql', (req, res) => {
graphqlHTTP({ schema: Schema, context: { user: req.user } })(req, res);
}
像这样在解析函数中使用上下文:
Use the context inside the resolve function like this:
resolve(parent, args, context){
if(!context.user.isAdmin){
args.isPublic = true;
}
return PostModel.find(args).exec();
}
您可以直接在解析函数中进行授权检查,但如果您有模型层,我强烈建议通过将用户对象传递给模型层来实现它.这样,您的代码将更加模块化,更易于重用,而且您不必担心忘记在某个解析器中进行某些检查.
You can do authorization checks directly in resolve functions, but if you have a model layer, I strongly recommend implementing it there by passing the user object to the model layer. That way your code will be more modular, easier to reuse and you don't have to worry about forgetting some checks in a resolver somewhere.
有关授权的更多背景,请查看这篇文章(也是我自己写的):GraphQL 中的身份验证 - 第 2 部分
For more background on authorization, check out this post (also written by myself): Auth in GraphQL - part 2
这篇关于如何在 GraphQL 查询中检查权限和其他条件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
