FYI: https://dgraph.io/docs/graphql/authorization/mutations/#add
Rules for
addauthorization state that the rule must hold of nodes created by the mutation data once committed to the database.
Delete rules filter the nodes that can be deleted. A user can only ever delete a subset of the nodes that the
deleterules allow.
Currently, Dgraph evaluates
updaterules before the mutation.
How Dgraph handles update rules would allow a user to take a Help and assign it to a different User, just be aware of this limitation. I have created a feature request to allow for both before and after rules on updates to handle this.
Another issue that may arise with your schema. You are restricting Users so a user can only see their own. If you then try to view the Help.fromUser edge you will get errors because it could return an null edge when it is requried. This is just some of the limitations right now of how auth works and how GraphQL handles required fields. There is no way right now in Dgraph’s generation of the GraphQL schema to make an edge required for mutations but not required for queries to suppress this missing required field error from GraphQL.
Here are a few basic mutation rules to get you started with some comments:
type User @auth(
query: { rule: "query($EMAIL: String!) { queryUser(filter: { email: { eq: $EMAIL } }) { email } }"}
) {
id: ID!
email: String! @id
helps: [Help]
}
type Help @withSubscription @auth(
# Users can only add Help if it is from them
add: { rule: "query($EMAIL: String!) { queryHelp { fromUser(filter: { email: { eq: $EMAIL } }) { email } } }"}
# Users can only update Help if they created it
update: { rule: "query($EMAIL: String!) { queryHelp { fromUser(filter: { email: { eq: $EMAIL } }) { email } } }"}
# Users can only delete their own Help requests
delete: { rule: "query($EMAIL: String!) { queryHelp { fromUser(filter: { email: { eq: $EMAIL } }) { email } } }"}
) {
id: ID!
title: String!
description: String!
fromUser: User! @hasInverse(field: helps)
}