Issue: Shield ACL rules not compatible with count query and nested operations (breaking proposal)
maoosi opened this issue · 5 comments
maoosi commented
Problems
Base path not included in QueryParams.paths
query countPosts {
countPosts
}{
"operation": "countPosts",
"paths": [], # missing `/count/post`
}Prisma reserved keywords like connect, connectOrCreate missing from QueryParams.paths
mutation createPost {
createPost(
data: {
title: "Hello people"
author: { connect: { id: 1 } }
}
) {
id
title
}
}{
"operation": "createPost",
"paths": [
"/create/post/author/id", # missing `/create/post/author/connect/id`
"/create/post/title",
"/get/post/id",
"/get/post/title"
]
}Proposed solution (breaking)
Update QueryParams.paths to:
- Include base path such as
[action][Model](countPosts) - Include Prisma reserved keywords like
connect,connectOrCreate, ... - Make the syntax closer to creating shield rules
countPosts{,/**} - Allow to create more granular rules such as
createPost/**/connect{,/**}
Example:
mutation createPost {
createPost(
data: {
title: "Hello people"
author: { connect: { id: 1 } }
}
) {
id
title
}
}Before:
{
"paths": [
"/create/post/title",
"/create/post/author/id",
"/get/post/id",
"/get/post/title"
]
}After:
{
"paths": [
"createPost",
"createPost/title",
"createPost/author",
"createPost/author/connect",
"createPost/author/connect/id",
"getPost",
"getPost/id",
"getPost/title"
]
}Breaking changes:
Breaking for people using QueryParams.paths for custom business logic (most likely inside Hooks).
StephanDecker commented
Thanks for considering these issues :-)
cjjenkinson commented
This looks great thank you @maoosi
maoosi commented
Implementing the solution was a lot more changes and work than initially anticipated, but it is now ready and will be released as part of 1.0.0-rc.6.
cjjenkinson commented
@maoosi Great work here, when will this be released?
maoosi commented
@cjjenkinson thanks! A new version will be released this week.