Skip to content
/ access-control Public

[READ ONLY] Access control for fields and directives

License

GPL-2.0 license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

getpop/access-control

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

558 Commits
config
config
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
composer.json
composer.json
 
 
phpstan.neon
phpstan.neon
 
 
phpstan.neon.dist
phpstan.neon.dist
 
 

Repository files navigation

Access Control

Access Control for schema elements

Install

Via Composer

composer require getpop/access-control

Development

The source code is hosted on the GatoGraphQL monorepo, under Engine/packages/access-control.

Usage

Initialize the component:

\PoP\Root\App::stockAndInitializeModuleClasses([([
    \PoP\AccessControl\Module::class,
]);

How does it work?

Access control deals in 2 modes: Public/Private schema modes.

The difference between Public and Private schema modes concerns the feedback given to the user when a validation fails. In Public mode, a detailed error message is given to the user (eg: "only users with role 'administrator' can access this field). In Private mode, there is no helpful information, instead the user is told that the field or directive does not exist.

We need to implement 4 cases of access control:

  1. Fields in Public schema mode
  2. Directives in Public schema mode
  3. Fields in Private schema mode
  4. Directives in Private schema mode

In Public schema mode, we can simply add a special directive that will validate the restriction (such as: is the user logged in? does the logged-in user have a specific role or capability?).

In Private mode, we add a hook that filters out the field or directive before it is registered.

In addition, whenever a validation must be performed to know if the user can access a field or directive, the response from the GraphQL server cannot be cached (when using component Cache Control). For the Public mode this situation is automatically handled, since the directive validating if the user is logged in or not already indicates that the response cannot be cached. For the Private mode, however, we need to add a special directive "NoCache". Hence, we need to deal with the following 2 cases:

  1. NoCache for Fields in Private schema mode
  2. NoCache for Directives in Private schema mode

PHP versions

Requirements:

  • PHP 8.1+ for development
  • PHP 7.4+ for production

Supported PHP features

Check the list of Supported PHP features in GatoGraphQL/GatoGraphQL

Preview downgrade to PHP 7.4

Via Rector (dry-run mode):

composer preview-code-downgrade

Standards

PSR-1, PSR-4 and PSR-12.

To check the coding standards via PHP CodeSniffer, run:

composer check-style

To automatically fix issues, run:

composer fix-style

Change log

Please see CHANGELOG for more information on what has changed recently.

Testing

To execute PHPUnit, run:

composer test

Static Analysis

To execute PHPStan, run:

composer analyse

Report issues

To report a bug or request a new feature please do it on the GatoGraphQL monorepo issue tracker.

Contributing

We welcome contributions for this package on the GatoGraphQL monorepo (where the source code for this package is hosted).

Please see CONTRIBUTING and CODE_OF_CONDUCT for details.

Security

If you discover any security related issues, please email leo@getpop.org instead of using the issue tracker.

Credits

License

GNU General Public License v2 (or later). Please see License File for more information.

About

[READ ONLY] Access control for fields and directives

Resources

Readme

License

GPL-2.0 license
Activity
Custom properties

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

99 tags

Packages

No packages published

Languages