I am reading this for the first time to understand this in detail. I have a use case where I want to allow some content through a custom query with DQL that a user does not normally have access to under normal @auth rules. Will this still be possible?
Use Case Defined:
- Users should not be able to see a list of all other users in the system
- Admins in the application need to be able to manage users, so disabling
queryUserand allowing onlygetUseris not a viable solution. - A User can share data with another user directly if they know their full name.
- A user enters a first and last name in a field, the client parses this and runs a query to the custom query, the custom query uses DQL to bypass all auth rules to find a user that matches that full name. If the full name matches then return that user uid, no other information, only the uid.
- Client can then use the uid returned to create an access node granting that uid to this user’s data nodes as he desires.
This whole use case is still in flux as I figure out how to do this better with auth rules (pending a few bug fixes in the works prayerfully.) I am thinking about allowing a user to set their own profile as public or not which allows other users to know they exists, or even allow a user to make their existence only known to a select set of users. But anyway I am trying to do this now I cross the point where the client needs to know if the referenced user actually exists to make themselves known to if not made known publicly.