Why does `fallbackRule` default to `allow`?

Question

Why does `fallbackRule` default to `allow`?

Closed this issue 3 years ago · 4 comments

Seems nuts to create a permissions system that is not secure by default. Shouldn't fallbackRule default to deny?

Answer 1 · 2021-10-07T00:50:54.000Z

Thank you for opening an issue. We will get back to you as soon as we can. Have you seen our Open Collective page? Please consider contributing financially to our project. This will help us involve more contributors and get to issues like yours faster.

https://opencollective.com/graphql-shield

We offer priority support for all financial contributors. Don't forget to add priority label once you become one! 😄

Answer 2 · 2021-10-07T01:10:33.000Z

Hmm I just tried setting fallbackRule: deny when calling shield() and it seems to deny all requests, even a query I specifically allow. When I set '*': deny in my Query object when calling shield() I can still allow specific queries, so maybe I'm not understanding what fallbackRule actually does because setting it to deny seems to deny everything?

Answer 3 · 2021-10-07T04:56:03.000Z

I did find this page in the documentation but it makes no sense to me, I'm not sure what is meant by "lock-in your schema" or "lock in your service." I think maybe I'm confused because so far I've only added permissions for queries not individual fields.

Answer 4 · 2021-11-08T09:01:08.000Z

Hey 👋

Took a bit longer to come around. I think this is a common issue when starting with permissions in GraphQLShield. When you denied all fields by default, did you make sure that the types that your queries return are allowed or did you only allow query fields?