Auth Scopes & relayMutationField -- Providing parent
to Scope?
#905
-
I've got an auth setup that allows admin users to read certain data of user's who belong the organization that admin manages. This is super easy to configure using the authScopes: (user) => ({
developer: true,
admin: user.organization_id,
teacher: user.id,
}), However, when trying to add auth onto a builder.relayMutationField(
'deleteUser',
{
inputFields: (t) => ({
id: t.globalID({
required: true,
}),
}),
},
{
authScopes: (user, args) => ({
developer: true,
teacher: parseInt(args.input.id.id, 10),
// admin??
}),
resolve: async (root, args) => deleteUser(root, args),
},
{
outputFields: (t) => getOutputField(t, UserNode),
},
); It's worth noting that the parent value does contain data in the |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
The parent of a mutation field is the "root" object (empty in most APIs, not the value returned from the resolve function. Pothos doesn't know anything about your User type, and the check would need to run before you try to delete the user (before you run the resolver). What you can do istead is move the auth checks into your resolver.
|
Beta Was this translation helpful? Give feedback.
The parent of a mutation field is the "root" object (empty in most APIs, not the value returned from the resolve function. Pothos doesn't know anything about your User type, and the check would need to run before you try to delete the user (before you run the resolver).
What you can do istead is move the auth checks into your resolver.