I have a mutation. How can I create a permission in hasura using variables in the graphql query?
eg:
mutation MyMutation($name:String!) {
insert_post(objects: {name:$name}){
name
}
}
How can I use name variable in the permission?
It's me on Discord.
Just for somebody has the same question. For currently, Hasura doesn't support to check permission from user input value, It only accepts value from session variables like x-hasura-user-id, etc.
But I think Hasura approach is correct when doesn't allow set permission base on user input.
If my answer is wrong, please correct, thanks.
Hasura v2 allows for this sort of pattern now.
For example, if you had a table that had a list of allowed names,
you could check that the name being inserted was in the list of
allowed names by doing something like this:
insert_permissions:
- role: user
permission:
check:
_exists:
_table:
name: allowed_names
schema: public
_where:
name:
_ceq: ["$", "name"]
See also:
https://github.com/hasura/graphql-engine/issues/3459#issuecomment-1085666541
https://hasura.io/docs/latest/graphql/core/api-reference/syntax-defs/
Related
Is there any way to force the username column to change all entries to lowercase?
Thanks
You can achieve this in two ways.
SaveTrigger : In the beforeSave() trigger of your user class, check if it is a new object, and if it is change the given username to lower case using the .toLowerCase() method like this.
if(!request.original)
request.object.set("username",request.object.get("username").toLowerCase())
Client-side: before signing up your users just use the corresponding .toLowerCase() method for the language you are coding in and then sign the user up.
I have a query that looks like this:
mutation update_single_article($itm: String, $changes: roles_set_input!) {
update_roles(_set: $changes, where: {role_id: {_eq: $itm}}) {
returning {
}
}
}
I am not sure where the type roles_set_input comes from. If I change it to something else I get an error saying did you mean... with a list of different values. Where does this value come from? Is it a graphql predefined type? Was it defined somewhere? I tried searching google for this but I wasn't able to get any results probably because I am not sure what to search for.
If this value was defined somewhere is it possible to see it in Hasura?
Hasura automatically generates your GraphQL schema based on your Postgres database. You can run queries against your schema under the GraphiQL tab in the console.
You can explore the schema using either the "Explorer" panel on the left or by clicking the "Docs" link on the right. In addition to the description and return type for each field, the docs will also show any arguments available on each field, including the type for that argument.
This is my Schema.
Query {
me: User #isAuthenticated
}
When I add #isAuthenticated it is handled on server side but in GraphQL Playground the directive doesn't show. I have some role based access system and I want to show all the role directives publicly so that API user can understand what role is wanted for which query.
Schema directives can be used to transform the schema or add functionality to it, but they cannot be used to expose any sort of metadata to the client. There's ongoing discussion here with regards to how to implement that sort of functionality. For the time being, your best bet would be to utilize descriptions.
"""
**Required roles**: `ADMIN`
"""
Query {
me: User #isAuthenticated
}
whats the best or the usual way to remove all roles from a user?
I tried
$roles = $user->getRoleNames(); $user->removeRole($roles);
Return value of App\User::getStoredRole() must implement interface Spatie\Permission\Contracts\Role, instance of Illuminate\Support\Collection returned
Use the plain Laravel detach method like so:
$user->roles()->detach();
I dod it now in this way $user->removeRole($user->roles->first());
You can also remove all roles by syncing to an empty array, like so.
$user->syncRoles([]);
I confirmed it works on version 5.8.
From reading the documentation it clearly says that you can pass a Collection instance to the removeRole so I think you are doing it right.
The assignRole, hasRole, hasAnyRole, hasAllRoles and removeRole functions can accept a string, a \Spatie\Permission\Models\Role object or an \Illuminate\Support\Collection object.
This works fine even on Laravel 7
For Roles:
$user->syncRoles([]);
For Permissions:
$user->syncPermissions([]);
From Spatie documentation you can find ther is a way to remove all previous roles and assign new roles with simple
$user->syncRoles($roles);
For reference you can visit this link
I am starting to work with the Django REST framework for a mini-reddit project I already developed.
The problem is that I am stuck in this situation:
A Minisub is like a subreddit. It has, among others, a field named managers which is ManyToMany with User.
An Ad is an advertising which will be displayed on the minisub, and it has a field named minisubs which is ManyToMany with Minisub. It has also a author field, foreign key with User.
I would like to allow these managers to add some ads on their minisubs through a DRF API. It is actually working. But I want to check that they put in minisubs only minisubs where they are managers.
I found a way like that:
class AdSerializer(serializers.HyperlinkedModelSerializer):
# ...
def validate_minisubs(self, value):
for m in value:
if user not in m.managers.all():
raise serializers.ValidationError("...")
return value
My question is: How to get user ? I can't find a way to get the value Ad.author (this field is set automatically in the serial data according to the user authentication). Maybe I don't find a way because there is no ways ? The place to do this is somewhere else ?
Thanks in advance.
You may get it out of the serializer this way:
class YourModelSeializer(serializers.HyperlinkedModelSerializer):
class Meta:
model=YourModel
def validate_myfield(self):
instance = getattr(self, 'instance', None)
...
I believe that this is a job for the permissions, if you are performing CRUD operations for inserting that into a database then u can have a permission class returns True if the user is a manager.
a permissions instance has access to the request which u can use to get the user and check if he is a manager:
http://www.django-rest-framework.org/api-guide/permissions/#custom-permissions