Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to implement security #49

Open
blade503 opened this issue Jul 5, 2017 · 5 comments
Open

How to implement security #49

blade503 opened this issue Jul 5, 2017 · 5 comments

Comments

@blade503
Copy link

blade503 commented Jul 5, 2017

I'm trying to setup the security for the bundle. But i'm a bit confuse cause i don't succeed to find examples of use and the docs is not complete at all. I saw they were black/white List and Voter. But how can I use it ?

For example if I would like to handle access control on field of a type. for example A is a user and B is an admin. A can't access a certain field but B can cause he is admin ? I don't know if this is even possible at the moment with the bundle.

And also does the bundle handle field deprecation in the type ?

Thanks for your answers !

@eskrano
Copy link

eskrano commented Jul 6, 2017

@blade503
Copy link
Author

blade503 commented Jul 6, 2017

@eskrano The link don't mention voter, or even how to handle it with this bundle. So thanks for your attempt but I know how to handle security on symfony but the behavior I want is not in the basic of symfony, and i got no doc from the doc of the Bundle

@geotry
Copy link

geotry commented Jul 19, 2017

Personally I use graphql types to handle security. For instance, you can create a type PublicUser with public data and a type FullUser with all data.

This way your field can return a union of users (either PublicUser or FullUser) depending on your logic. So if you are an admin, you will see each user as a FullUser whereas regular users will see only PublicUser. You can use interfaces to regroup common fields and handle both users as one in your query.

You don't even have to worry about returning too much data on your resolvers since the graphql processor will filter the data automatically for you. All you have to do is to return the correct type.

@blade503
Copy link
Author

Well it looks very interesting to me. I started to do the verification on the type. But the type don't have access to the symfony container to get the authorization checker ? How do you check in the type that the user has a ROLE_ADMIN ?

@geotry
Copy link

geotry commented Jul 20, 2017

Actually the type will be set by your union type, in the method resolveType() which takes as argument the value you will resolved in your field (a user object in your case).

When you resolve your users in your field (here you have access to the container), you can add an information to your user object like selfUserRoles to hold the roles of the current user.

When the method resolveType() of the Union will be called, you can check the value of selfUserRoles to return either PublicUser or FullUser type.

It's just an example of course to show you how you can control the type with unions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants