ACL on node fetches about graphql-sequelize HOT 10 CLOSED

Was just implementing this myself and looking into a variety of different things which needed ACL applying and how to do them concerning their different method signatures. From reading through old issues and comments from Mick.

Users have Wallets:

• Admins are users with user.permissions > 1 and can see everything
• Users should not be able to view other user's wallets
• Users should not be able to query a wallet using Root wallet field or Node field
• Users shouldn't be able to list wallets

user-access-acl.js

export function userHasAccess(result, context) {
  return context.user && (context.user.permissions > 1 || context.user.id === result.userId);
}

export function userOwnedBefore(findOptions, args, context) {
  findOptions.where = context.user && context.user.permissions > 1 ? {} : { userId: context.user.id };
  return findOptions;
}

export function userOwnedAfter(result, args, context) {
  return userCanView(result, context) ? result : null;
}

ACL for Node querying by specifying a resolve
#92 (comment)

nodeTypeMapper.mapTypes({
  [User.name]: UserType,
  [Wallet.name]: {
    type: WalletType,
    async resolve(globalId, context) {
      const { id } = fromGlobalId(globalId);
      const wallet = await Wallet.findById(id);
      return userHasAccess(wallet, context) ? wallet : null;
    },
  },
});

Blocking a wallets root query directly in resolve

wallets: {
  type: WalletConnectionType.connectionType,
  args: WalletConnectionType.connectionArgs,
  resolve: (source, args, context, info) => {
    if (!context.user || context.user.permissions < 2) {
      throw new Error('You lack the permissions to make this query');
    }

    return WalletConnectionType.resolve(source, args, context, info);
  },
},

Block querying a wallet by ID by using an after hook
#92 (comment)

wallet: {
  type: WalletType,
  args: {
    id: {
      type: new GraphQLNonNull(GraphQLID),
    },
  },
  resolve: async (source, args, context, info) => {
    args.id = fromGlobalId(args.id).id;
    return await resolver(Wallet, {
      after: userOwnedAfter,
    })(source, args, context, info);
  },
},

Block querying walletConnections using a before hook to force them to match your ID
#387 (comment)

export const UserType = new GraphQLObjectType({
  name: User.name,
  description: '',
  fields: () => {

    const walletsConnection: any = sequelizeConnection({
      name: 'UserWallet',
      nodeType: WalletType,
      target: User.associations.wallets || Wallet,
      connectionFields: {
        total: {
          type: GraphQLInt,
          resolve: source => source.countWallets(),
        },
      },
      before: userOwnedBefore,
    });

    return {
      ...attributeFields(User, {
        globalId: true,
        commentToDescription: true,
      }),
      wallets: {
        type: walletsConnection.connectionType,
        args: walletsConnection.connectionArgs,
        resolve: walletsConnection.resolve,
      },
    };
  },
  interfaces: [nodeInterface],
});

The above should cover all vectors of fetching something without access to. Let me know if there's any way this can be improved and I hope it helps someone else looking for a complete list. I like to leave a breadcrumb trail for anything I find out

from graphql-sequelize.

@justinpincar We just end up implementing our own resolver rather than using the built in from graphql-sequelize.

from graphql-sequelize.

For this reason, I'm using a custom solution for the nodeDefinitions.. looks something like:

models[type].findOne({ where: { [models[type].primaryKeyAttribute]: id, user_id: user.id } });

I also have some special case types where I just findById (public models).

Maybe a beforeFind hook for each type in mapTypes would work? Something like:

nodeTypeMapper.mapTypes({
  [Post.name]: {
    type: postType,
    beforeFind: (options, info) => { options.where.user_id = info.rootValue.id; return options; }
  }
});

In my case, that beforeFind function could be re-used for almost all models with the same ACL constraints, like so:

function addUserConstraint(options, info) {
  options.where.user_id = info.rootValue.id;
  return options;
}
nodeTypeMapper.mapTypes({
  [Post.name]: {
    type: postType,
    beforeFind: addUserConstraint
  },
  [Project.name]: {
    type: projectType,
    beforeFind: addUserConstraint
  }
});

from graphql-sequelize.

I like extending the before/after methodology from the resolver to the nodeTypeMapper. Good idea.

from graphql-sequelize.

That could work. I hate having to remove findById since it's very trivial to cache, but maybe we can do something smart.

from graphql-sequelize.

Agreed, i like atleast having the after hook for common ACL. With the direction i see graphql/sequelize going in anyways we want more batching and more post processing and less ad-hoc ACL queries.

from graphql-sequelize.

If by "batching" you mean something like DataLoader, the ACL stuff sort of moves into the DataLoader anyway. For us, at least, we instantiate DataLoaders with every request so that it's tied to the user, and then all queries within that loader add user_id to the query.

from graphql-sequelize.

Hey folks, just starting to write a classroom management tool using graphql-sequelize and was hoping to get some guidance around this ACL issue.

• Any more recent info on how to do an authorization check on node lookups? E.g. teachers can only view students with matching student.teacher_id

Thanks!

from graphql-sequelize.

@intellix Really helpful to see your implementation of the different approaches, thank you for sharing.

from graphql-sequelize.

No problem :) was looking into providing a custom resolver but it looks like different things use different ways. Some need before hooks, others need after hooks. Relay seems to hardcode the locally provided resolver: https://github.com/mickhansen/graphql-sequelize/blob/master/src/relay.js#L216

from graphql-sequelize.