Authorisation - will /schema always return the full schema or only what that user can see? about umbraco-graphql HOT 3 CLOSED

Stephen has done some work on this and got it doing what we think it needs to do. PR is in the works once he's tidied it up.

from umbraco-graphql.

I can't figure out what your plans for security are by reading your issues, so I'll come with a proposal for discussion here, and please forgive me if it's what you already had in mind.

I'd like to manage security via users and roles in Umbraco, where access is disallowed by default.

One creates a group, let's call it PublicAPI. Then a user named Website, assigned to that group. This user can authenticate with the api, but won't have access to anything, because no access have been given (Umbraco also seems to default to no access for everything when creating users and groups).

Umbraco doesn't support field level access, which is a shame. So I'll be focusing on nodes only.

You can assign default permissions for a group, but it's not desirable since it'll turn things around from a no access by default to access by default. This can quickly get messy.

So we're left with granular access. But you can only set permissions for single nodes, and not tell Umbraco to inherit them for the children or descendants. Let's say someone implemented this, and now you'd want to prevent access to one of the children; you can't do that, because Umbraco removes all granular access entries that doesn't check at least one of the boxes in the list of permissions.

Does anyone know what can be done about this?

Edit: Let me know if I should create a new issue instead. There's just so many on security already that I wouldn't start another thread.

from umbraco-graphql.

Hi

Just wanted to let you know that the project is moving to the Umbraco Community GitHub organisation, so we are closing all existing issues.

If you think your issue is still relevant, please feel free to reopen it.

/Rasmus

from umbraco-graphql.