[英]Laravel Lighthouse restrict mutation field
I would like to protect some specific fields of a content type to only allow admin user to modify the value but allow users to access it.我想保护内容类型的某些特定字段,只允许管理员用户修改值但允许用户访问它。
Imagine for instance the User
type with a is_admin
field.例如,想象一下带有is_admin
字段的User
类型。 Only admin should be able to update it but everyone should be able to read it.只有管理员应该能够更新它,但每个人都应该能够阅读它。
type User {
id: ID!
name: String!
email: String!
is_admin: Boolean!
}
The can directive doesn't seem to work with field in mutation. can指令似乎不适用于突变中的字段。 At first I tried adding @can(ability: "setAdmin")
with a custom policy but it didn't had any effect.起初我尝试使用自定义策略添加@can(ability: "setAdmin")
但它没有任何效果。 That same can/policy used on the mutation "worked" but this was not granular enough.用于突变“工作”的相同 can/policy 但这不够细化。
It appears that custom field restrictions using a custom directive should help, but this too doesn't seem to work on a field level in a mutation input type.似乎使用自定义指令的自定义字段限制应该有所帮助,但这似乎也不适用于突变输入类型的字段级别。
type mutation {
updateUser(
input: UpdateUserInput! @spread
): User @update @middleware(checks: ["auth:api"])
}
input UpdateUserInput {
id: ID!
name: String!
email: String!
is_admin: Boolean! @adminOnly
}
With this custom directive in app/GraphQL/Directives/AdminOnlyDirective.php
使用app/GraphQL/Directives/AdminOnlyDirective.php
这个自定义指令
<?php
namespace App\GraphQL\Directives;
use Closure;
use GraphQL\Type\Definition\ResolveInfo;
use Nuwave\Lighthouse\Exceptions\DefinitionException;
use Nuwave\Lighthouse\Schema\Directives\BaseDirective;
use Nuwave\Lighthouse\Schema\Values\FieldValue;
use Nuwave\Lighthouse\Support\Contracts\DefinedDirective;
use Nuwave\Lighthouse\Support\Contracts\FieldMiddleware;
use Nuwave\Lighthouse\Support\Contracts\GraphQLContext;
class AdminOnlyDirective extends BaseDirective implements FieldMiddleware, DefinedDirective
{
/**
* Name of the directive as used in the schema.
*
* @return string
*/
public function name(): string
{
return 'adminOnly';
}
public static function definition(): string
{
return /** @lang GraphQL */ <<<GRAPHQL
"""
Limit field update to only admin.
"""
directive @adminOnly() on FIELD_DEFINITION
GRAPHQL;
}
public function handleField(FieldValue $fieldValue, Closure $next): FieldValue
{
$originalResolver = $fieldValue->getResolver();
return $next(
$fieldValue->setResolver(
function ($root, array $args, GraphQLContext $context, ResolveInfo $resolveInfo) use ($originalResolver) {
$user = $context->user();
if (
// Unauthenticated users don't get to see anything
! $user
// The user's role has to match have the required role
|| !$user->is_admin
) {
return null;
}
return $originalResolver($root, $args, $context, $resolveInfo);
}
)
);
}
}
So, is there a way to prevent "update" of specific fields with laravel lighthouse?那么,有没有办法防止使用 Laravel 灯塔“更新”特定字段?
For now, you can use https://lighthouse-php.com/4.16/custom-directives/argument-directives.html#argtransformerdirective to transform that field to null
before inserting the database or just throw error out to avoid changes on your specific field, it's like how the @trim behaves;现在,您可以使用https://lighthouse-php.com/4.16/custom-directives/argument-directives.html#argtransformerdirective在插入数据库之前将该字段转换为null
,或者只是抛出错误以避免更改您的特定字段,就像@trim 的行为一样;
In lighthouse v5, it's class ArgTransformerDirective
has renamed to ArgSanitizerDirective
and method transform
to sanitize
在灯塔 v5 中,它的类ArgTransformerDirective
已重命名为ArgSanitizerDirective
和方法transform
以进行sanitize
https://github.com/nuwave/lighthouse/blob/v5.0-alpha.3/src/Schema/Directives/TrimDirective.php https://github.com/nuwave/lighthouse/blob/v5.0-alpha.3/src/Schema/Directives/TrimDirective.php
Extra:额外的:
I'm still figuring how @can works, cause i still need to drop the whole attribute instead of passing null to my database;我仍在弄清楚@can 是如何工作的,因为我仍然需要删除整个属性而不是将 null 传递给我的数据库;
Update: @can only apply to input
type instead of input
type更新:@can 只适用于input
类型而不是input
类型
The first idea I have in mind here is to create two different inputs and/or mutations.我在这里想到的第一个想法是创建两个不同的输入和/或突变。 Eg for admins with access to the field:例如,对于有权访问该字段的管理员:
updateUserAsAdmin(
input: UpdateUserFullInput! @spread
): User @update
@middleware(checks: ["auth:api"])
@can("users.update.full")
And UpdateUserFullInput
contains the is_admin
field.而UpdateUserFullInput
包含is_admin
字段。
I also came across this discussion a few times: https://github.com/nuwave/lighthouse/issues/325 Maybe you can also find some useful ideas here.我也遇到过几次这个讨论: https : //github.com/nuwave/lighthouse/issues/325也许你也可以在这里找到一些有用的想法。
You may also want to look at the official docs: https://github.com/nuwave/lighthouse/blob/master/docs/master/security/authorization.md#custom-field-restrictions您可能还想查看官方文档: https : //github.com/nuwave/lighthouse/blob/master/docs/master/security/authorization.md#custom-field-restrictions
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.