Love the workaround! Of course, until the update-after is implemented, not sure if that is secure either.
@amaster507 I think you should redo the feature request with examples using the template. When I first read it, I had to re-read it a few times to understand what you were talking about, but obviously I agree with the premise.
While the Dgraph Team wants to look at it from a problem perspective, and not a solution perspective, I suspect if there was a solution that was simple, clearly thought-out, and matches Dgraph’s way of doing things, they may actually add to the list of important features to implement (attached to the problem feature request of course).
Another Idea?
My theory is that conditional rules would fix this.
The specific problem: Allow RBAC and ABAC in the @auth rules like SQL so a user doesn’t have to rely on JWT’s limitations
The broad problem: Non type related @auth rules
Currently @auth rules work by:
- Filtering out what a user can’t see based on data from the JWT
- Checking for specific values in the JWT using
eq
modifier (don’t believe in
works either at this point?)
What is needed?
- Conditional Rules
Ex:
@auth(
query: {
if: [
{ value: "query($USER: String!) { queryUser(filter: { user: { eq: $USER } and: { role: { name: { eq: \"admin\" } } } }) { id } }"
],
then: [
{ rule: "query ($USER: String!) { queryUser(filter: { user: { eq: $USER } }) { id } }"
]
}
)
The value only evaluates boolean based on whether or not there is a return value, or a return type / array of types. You could have several if values just like you can have several rules now.
Of course, another option is to allow variables in Graphql (although against the standard from my understanding) that could allow these types of evalulations…
Another Thought… From DQL…
{
v as var(func: eq(user@en, $USER)) @filter(eq(name@en, "admin")) {
id
}
query @if (gt(len(v), 0) {
var(func: eq(user@en, $USER)) {
id
}
}
}
Pardon my novelty in DQL, not even sure if you can do conditional queries…, but this is for prototyping anyway…
To a rule like this in GraphQL (probably not possible by graphql standards, but trying to think outside the box):
@auth(query: {
rule: """
isAdmin: query($USER: String!) {
queryUser(filter: {
user: { eq: $USER }
and: { role: { name: { eq: \"admin\" } } } })
{
id
}
},
if(filter: { isAdmin: { ge: 0 }) {
query ($USER: String!) {
queryUser(filter: { user: { eq: $USER } }) {
id
}
}
}
"""
})
So, just spitballing some stuff here, I realized when I typed that out, what was in my head makes no sense.
Either way, someone should create a new Feature Request stating the problem, and link to this post.
J