Welcome to the forms @pshaddel !
Dgraph has an @auth directive that I believe you can use to do what you’re asking.
For example:
type Todo @auth(
query: { rule: """
query {
queryTodo(first: 100) {
id
}
}"""
}
){
id: ID!
text: String! @search(by: [term])
owner: String! @search(by: [hash])
}
This would only allow you to query up to 100 items, and you could use first in your actual code to get only the first 10 for example. These query rules, similar to policies in SQL or RLC (Row Level Security) can be quite powerful.
Basically, it filters your results before you get your actual results. You can do a lot with queries, but I believe the biggest caveat is the missing update-after rules in mutations. There seems to be an internal debate at Dgraph on the importance of validation and verification on the backend, but luckily most people realize its importance and we should hopefully see more security features in the future.
J